kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kops/k8s/crds/kops.k8s.io_clusters.yaml

5595 lines
299 KiB
YAML
Raw Blame History

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: clusters.kops.k8s.io
spec:
group: kops.k8s.io
names:
kind: Cluster
listKind: ClusterList
plural: clusters
singular: cluster
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterSpec defines the configuration for a cluster
properties:
DisableSubnetTags:
description: DisableSubnetTags controls if subnets are tagged in AWS
type: boolean
additionalNetworkCIDRs:
description: AdditionalNetworkCIDRs is a list of additional CIDR used
for the AWS VPC or otherwise allocated to k8s. This is a real CIDR,
not the internal k8s network On AWS, it maps to any additional CIDRs
added to a VPC.
items:
type: string
type: array
additionalPolicies:
additionalProperties:
type: string
description: Additional policies to add for roles
type: object
additionalSans:
description: AdditionalSANs adds additional Subject Alternate Names
to apiserver cert that kops generates
items:
type: string
type: array
addons:
description: Additional addons that should be installed on the cluster
items:
description: AddonSpec defines an addon that we want to install
in the cluster
properties:
manifest:
description: Manifest is a path to the manifest that defines
the addon
type: string
type: object
type: array
api:
description: API field controls how the API is exposed outside the
cluster
properties:
dns:
description: DNS will be used to provide config on kube-apiserver
ELB DNS
type: object
loadBalancer:
description: LoadBalancer is the configuration for the kube-apiserver
ELB
properties:
accessLog:
description: AccessLog is the configuration of access logs
properties:
bucket:
description: Bucket is S3 bucket name to store the logs
in
type: string
bucketPrefix:
description: BucketPrefix is S3 bucket prefix. Logs are
stored in the root if not configured.
type: string
interval:
description: Interval is publishing interval in minutes.
This parameter is only used with classic load balancer.
type: integer
type: object
additionalSecurityGroups:
description: AdditionalSecurityGroups attaches additional
security groups (e.g. sg-123456).
items:
type: string
type: array
class:
description: 'LoadBalancerClass specifies the class of load
balancer to create: Classic, Network'
type: string
crossZoneLoadBalancing:
description: CrossZoneLoadBalancing allows you to enable the
cross zone load balancing
type: boolean
idleTimeoutSeconds:
description: IdleTimeoutSeconds sets the timeout of the api
loadbalancer.
format: int64
type: integer
securityGroupOverride:
description: SecurityGroupOverride overrides the default Kops
created SG for the load balancer.
type: string
sslCertificate:
description: SSLCertificate allows you to specify the ACM
cert to be used the LB
type: string
sslPolicy:
description: SSLPolicy allows you to overwrite the LB listener's
Security Policy
type: string
subnets:
description: Subnets allows you to specify the subnets that
must be used for the load balancer
items:
description: LoadBalancerSubnetSpec provides configuration
for subnets used for a load balancer
properties:
allocationId:
description: AllocationID specifies the Elastic IP Allocation
ID for use by a NLB
type: string
name:
description: Name specifies the name of the cluster
subnet
type: string
privateIPv4Address:
description: PrivateIPv4Address specifies the private
IPv4 address to use for a NLB
type: string
type: object
type: array
type:
description: Type of load balancer to create may Public or
Internal.
type: string
useForInternalApi:
description: UseForInternalAPI indicates whether the LB should
be used by the kubelet
type: boolean
type: object
type: object
assets:
description: Alternative locations for files and containers
properties:
containerProxy:
description: ContainerProxy is a url for a pull-through proxy
of a docker registry
type: string
containerRegistry:
description: ContainerRegistry is a url for to a docker registry
type: string
fileRepository:
description: FileRepository is the url for a private file serving
repository
type: string
type: object
authentication:
description: Authentication field controls how the cluster is configured
for authentication
properties:
aws:
properties:
backendMode:
description: BackendMode is the AWS IAM Authenticator backend
to use. Default MountedFile
type: string
clusterID:
description: ClusterID identifies the cluster performing authentication
to prevent certain replay attacks. Default master public
DNS name
type: string
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit CPU limit of AWS IAM Authenticator container.
Default 10m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest CPU request of AWS IAM Authenticator
container. Default 10m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
identityMappings:
description: IdentityMappings maps IAM Identities to Kubernetes
users/groups
items:
properties:
arn:
description: Arn of the IAM User or IAM Role to be allowed
to authenticate
type: string
groups:
description: Groups to be attached to your users/roles
items:
type: string
type: array
username:
description: Username that Kubernetes will see the user
as
type: string
type: object
type: array
image:
description: Image is the AWS IAM Authenticator docker image
to uses
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit memory limit of AWS IAM Authenticator
container. Default 20Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest memory request of AWS IAM Authenticator
container. Default 20Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
kopeio:
type: object
type: object
authorization:
description: Authorization field controls how the cluster is configured
for authorization
properties:
alwaysAllow:
type: object
rbac:
type: object
type: object
awsLoadBalancerController:
description: AWSLoadbalancerControllerConfig determines the AWS LB
controller configuration.
properties:
enableShield:
description: 'EnableShield specifies whether the controller can
enable Shield Advanced. Default: false'
type: boolean
enableWAF:
description: 'EnableWAF specifies whether the controller can use
WAFs (Classic Regional). Default: false'
type: boolean
enableWAFv2:
description: 'EnableWAFv2 specifies whether the controller can
use WAFs (V2). Default: false'
type: boolean
enabled:
description: 'Enabled enables the loadbalancer controller. Default:
false'
type: boolean
version:
description: Version is the container image tag used.
type: string
type: object
certManager:
description: CertManager determines the metrics server configuration.
properties:
defaultIssuer:
description: 'defaultIssuer sets a default clusterIssuer Default:
none'
type: string
enabled:
description: 'Enabled enables the cert manager. Default: false'
type: boolean
image:
description: 'Image is the docker container used. Default: the
latest supported image for the specified kubernetes version.'
type: string
managed:
description: Managed controls if cert-manager is manged and deployed
by kOps. The deployment of cert-manager is skipped if this is
set to false.
type: boolean
nameservers:
description: 'nameservers is a list of nameserver IP addresses
to use instead of the pod defaults. Default: none'
items:
type: string
type: array
type: object
channel:
description: The Channel we are following
type: string
cloudConfig:
description: CloudConfiguration defines the cloud provider configuration
properties:
awsEBSCSIDriver:
description: AWSEBSCSIDriver is the config for the AWS EBS CSI
driver
properties:
enabled:
description: 'Enabled enables the AWS EBS CSI driver Default:
false'
type: boolean
podAnnotations:
additionalProperties:
type: string
description: 'PodAnnotations are the annotations added to
AWS EBS CSI node and controller Pods. Default: none'
type: object
version:
description: 'Version is the container image tag used. Default:
The latest stable release which is compatible with your
Kubernetes version'
type: string
volumeAttachLimit:
description: 'VolumeAttachLimit is the maximum number of volumes
attachable per node. If specified, the limit applies to
all nodes. If not specified, the value is approximated from
the instance type. Default: -'
type: integer
type: object
azure:
description: Azure cloud-config options
properties:
adminUser:
description: AdminUser specifies the admin user of VMs.
type: string
resourceGroupName:
description: ResourceGroupName specifies the name of the resource
group where the cluster is built. If this is empty, kops
will create a new resource group whose name is same as the
cluster name. If this is not empty, kops will not create
a new resource group, and it will just reuse the existing
resource group of the name. This follows the model that
kops takes for AWS VPC.
type: string
routeTableName:
description: RouteTableName is the name of the route table
attached to the subnet that the cluster is deployed in.
type: string
subscriptionId:
description: SubscriptionID specifies the subscription used
for the cluster installation.
type: string
tenantId:
description: TenantID is the ID of the tenant that the cluster
is deployed in.
type: string
required:
- tenantId
type: object
disableSecurityGroupIngress:
description: AWS cloud-config options
type: boolean
elbSecurityGroup:
type: string
gceServiceAccount:
description: GCEServiceAccount specifies the service account with
which the GCE VM runs
type: string
gcpPDCSIDriver:
description: GCPPDCSIDriver is the config for the GCP PD CSI driver
properties:
enabled:
description: Enabled enables the GCP PD CSI driver
type: boolean
type: object
manageStorageClasses:
description: ManageStorageClasses specifies whether kOps should
create and maintain a set of StorageClasses, one of which it
nominates as the default class for the cluster.
type: boolean
multizone:
description: GCE cloud-config options
type: boolean
nodeIPFamilies:
description: NodeIPFamilies controls the IP families reported
for each node (AWS only).
items:
type: string
type: array
nodeInstancePrefix:
type: string
nodeTags:
type: string
openstack:
description: Openstack cloud-config options
properties:
blockStorage:
properties:
bs-version:
type: string
createStorageClass:
description: CreateStorageClass provisions a default class
for the Cinder plugin
type: boolean
csiPluginImage:
type: string
csiTopologySupport:
type: boolean
ignore-volume-az:
type: boolean
override-volume-az:
type: string
type: object
insecureSkipVerify:
type: boolean
loadbalancer:
description: OpenstackLoadbalancerConfig defines the config
for a neutron loadbalancer
properties:
enableIngressHostname:
type: boolean
floatingNetwork:
type: string
floatingNetworkID:
type: string
floatingSubnet:
type: string
ingressHostnameSuffix:
type: string
manageSecurityGroups:
type: boolean
method:
type: string
provider:
type: string
subnetID:
type: string
useOctavia:
type: boolean
type: object
metadata:
description: OpenstackMetadata defines config for metadata
service related settings
properties:
configDrive:
description: ConfigDrive specifies to use config drive
for retrieving user data instead of the metadata service
when launching instances
type: boolean
type: object
monitor:
description: OpenstackMonitor defines the config for a health
monitor
properties:
delay:
type: string
maxRetries:
type: integer
timeout:
type: string
type: object
network:
description: OpenstackNetwork defines the config for a network
properties:
availabilityZoneHints:
items:
type: string
type: array
type: object
router:
description: OpenstackRouter defines the config for a router
properties:
availabilityZoneHints:
items:
type: string
type: array
dnsServers:
type: string
externalNetwork:
type: string
externalSubnet:
type: string
type: object
type: object
spotinstOrientation:
type: string
spotinstProduct:
description: Spotinst cloud-config specs
type: string
vSphereCoreDNSServer:
description: VSphereCoreDNSServer is unused.
type: string
vSphereDatacenter:
description: VShpereDatacenter is unused.
type: string
vSphereDatastore:
description: VSphereDatastore is unused.
type: string
vSpherePassword:
description: VSpherePassword is unused.
type: string
vSphereResourcePool:
description: VSphereResourcePool is unused.
type: string
vSphereServer:
description: VSphereServer is unused.
type: string
vSphereUsername:
description: VSphereUsername is unused.
type: string
type: object
cloudControllerManager:
description: CloudControllerManagerConfig is the configuration of
the cloud controller
properties:
allocateNodeCIDRs:
description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated
and, if ConfigureCloudRoutes is true, to be set on the cloud
provider.
type: boolean
cidrAllocatorType:
description: CIDRAllocatorType specifies the type of CIDR allocator
to use.
type: string
cloudProvider:
description: CloudProvider is the provider for cloud services.
type: string
clusterCIDR:
description: ClusterCIDR is CIDR Range for Pods in cluster.
type: string
clusterName:
description: ClusterName is the instance prefix for the cluster.
type: string
configureCloudRoutes:
description: ConfigureCloudRoutes enables CIDRs allocated with
to be configured on the cloud provider.
type: boolean
controllers:
description: Controllers is a list of controllers to enable on
the controller-manager
items:
type: string
type: array
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest of CloudControllerManager container.
Default: 200m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enableLeaderMigration:
description: EnableLeaderMigration enables controller leader migration.
type: boolean
image:
description: Image is the OCI image of the cloud controller manager.
type: string
leaderElection:
description: LeaderElection defines the configuration of leader
election client.
properties:
leaderElect:
description: leaderElect enables a leader election client
to gain leadership before executing the main loop. Enable
this when running replicated components for high availability.
type: boolean
leaderElectLeaseDuration:
description: leaderElectLeaseDuration is the length in time
non-leader candidates will wait after observing a leadership
renewal until attempting to acquire leadership of a led
but unrenewed leader slot. This is effectively the maximum
duration that a leader can be stopped before it is replaced
by another candidate
type: string
leaderElectRenewDeadlineDuration:
description: LeaderElectRenewDeadlineDuration is the interval
between attempts by the acting master to renew a leadership
slot before it stops leading. This must be less than or
equal to the lease duration.
type: string
leaderElectResourceLock:
description: LeaderElectResourceLock is the type of resource
object that is used for locking during leader election.
Supported options are endpoints (default) and `configmaps`.
type: string
leaderElectResourceName:
description: LeaderElectResourceName is the name of resource
object that is used for locking during leader election.
type: string
leaderElectResourceNamespace:
description: LeaderElectResourceNamespace is the namespace
of resource object that is used for locking during leader
election.
type: string
leaderElectRetryPeriod:
description: LeaderElectRetryPeriod is The duration the clients
should wait between attempting acquisition and renewal of
a leadership. This is only applicable if leader election
is enabled.
type: string
type: object
logLevel:
description: LogLevel is the verbosity of the logs.
format: int32
type: integer
master:
description: Master is the url for the kube api master.
type: string
useServiceAccountCredentials:
description: UseServiceAccountCredentials controls whether we
use individual service account credentials for each controller.
type: boolean
type: object
cloudLabels:
additionalProperties:
type: string
description: CloudLabels defines additional tags or labels on cloud
provider resources
type: object
cloudProvider:
description: The CloudProvider to use (aws or gce)
type: string
clusterAutoscaler:
description: ClusterAutoscaler defines the cluaster autoscaler configuration.
properties:
awsUseStaticInstanceList:
description: 'AWSUseStaticInstanceList makes cluster autoscaler
to use statically defined set of AWS EC2 Instance List. Default:
false'
type: boolean
balanceSimilarNodeGroups:
description: 'BalanceSimilarNodeGroups makes cluster autoscaler
treat similar node groups as one. Default: false'
type: boolean
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest of cluster autoscaler container. Default:
100m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enabled:
description: 'Enabled enables the cluster autoscaler. Default:
false'
type: boolean
expander:
description: 'Expander determines the strategy for which instance
group gets expanded. Supported values: least-waste, most-pods,
random, price, priority. The price expander is only supported
on GCE. The priority expander requires additional configuration
via a ConfigMap. Default: least-waste'
type: string
image:
description: 'Image is the docker container used. Default: the
latest supported image for the specified kubernetes version.'
type: string
maxNodeProvisionTime:
description: MaxNodeProvisionTime determines how long CAS will
wait for a node to join the cluster.
type: string
memoryRequest:
anyOf:
- type: integer
- type: string
description: 'MemoryRequest of cluster autoscaler container. Default:
300Mi'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
newPodScaleUpDelay:
description: 'NewPodScaleUpDelay causes cluster autoscaler to
ignore unschedulable pods until they are a certain "age", regardless
of the scan-interval Default: 0s'
type: string
podAnnotations:
additionalProperties:
type: string
description: 'PodAnnotations are the annotations added to cluster
autoscaler pod when they are created. Default: none'
type: object
scaleDownDelayAfterAdd:
description: 'ScaleDownDelayAfterAdd determines the time after
scale up that scale down evaluation resumes Default: 10m0s'
type: string
scaleDownUtilizationThreshold:
description: 'ScaleDownUtilizationThreshold determines the utilization
threshold for node scale-down. Default: 0.5'
type: string
skipNodesWithLocalStorage:
description: 'SkipNodesWithLocalStorage makes cluster autoscaler
skip scale-down of nodes with local storage. Default: true'
type: boolean
skipNodesWithSystemPods:
description: 'SkipNodesWithSystemPods makes cluster autoscaler
skip scale-down of nodes with non-DaemonSet pods in the kube-system
namespace. Default: true'
type: boolean
type: object
clusterDNSDomain:
description: ClusterDNSDomain is the suffix we use for internal DNS
names (normally cluster.local)
type: string
configBase:
description: ConfigBase is the path where we store configuration for
the cluster This might be different that the location when the cluster
spec itself is stored, both because this must be accessible to the
cluster, and because it might be on a different cloud or storage
system (etcd vs S3)
type: string
configStore:
description: ConfigStore is the VFS path to where the configuration
(Cluster, InstanceGroups etc) is stored
type: string
containerRuntime:
description: Container runtime to use for Kubernetes
type: string
containerd:
description: Component configurations
properties:
address:
description: Address of containerd's GRPC server (default "/run/containerd/containerd.sock").
type: string
configOverride:
description: ConfigOverride is the complete containerd config
file provided by the user.
type: string
logLevel:
description: LogLevel controls the logging details [trace, debug,
info, warn, error, fatal, panic] (default "info").
type: string
nvidiaGPU:
description: NvidiaGPU configures the Nvidia GPU runtime.
properties:
enabled:
description: Enabled determines if kOps will install the Nvidia
GPU runtime and drivers. They will only be installed on
intances that has an Nvidia GPU.
type: boolean
package:
description: Package is the name of the nvidia driver package
that will be installed. Default is "nvidia-headless-460-server".
type: string
type: object
packages:
description: Packages overrides the URL and hash for the packages.
properties:
hashAmd64:
description: HashAmd64 overrides the hash for the AMD64 package.
type: string
hashArm64:
description: HashArm64 overrides the hash for the ARM64 package.
type: string
urlAmd64:
description: UrlAmd64 overrides the URL for the AMD64 package.
type: string
urlArm64:
description: UrlArm64 overrides the URL for the ARM64 package.
type: string
type: object
registryMirrors:
additionalProperties:
items:
type: string
type: array
description: RegistryMirrors is list of image registries
type: object
root:
description: Root directory for persistent data (default "/var/lib/containerd").
type: string
skipInstall:
description: SkipInstall prevents kOps from installing and modifying
containerd in any way (default "false").
type: boolean
state:
description: State directory for execution state files (default
"/run/containerd").
type: string
version:
description: Version used to pick the containerd package.
type: string
type: object
dnsControllerGossipConfig:
description: DNSControllerGossipConfig for the cluster assuming the
use of gossip DNS
properties:
listen:
type: string
protocol:
type: string
secondary:
properties:
listen:
type: string
protocol:
type: string
secret:
type: string
seed:
type: string
type: object
secret:
type: string
seed:
type: string
type: object
dnsZone:
description: DNSZone is the DNS zone we should use when configuring
DNS This is because some clouds let us define a managed zone foo.bar,
and then have kubernetes.dev.foo.bar, without needing to define
dev.foo.bar as a hosted zone. DNSZone will probably be a suffix
of the MasterPublicName and MasterInternalName Note that DNSZone
can either by the host name of the zone (containing dots), or can
be an identifier for the zone.
type: string
docker:
description: DockerConfig is the configuration for docker
properties:
authorizationPlugins:
description: AuthorizationPlugins is a list of authorization plugins
items:
type: string
type: array
bridge:
description: Bridge is the network interface containers should
bind onto
type: string
bridgeIP:
description: BridgeIP is a specific IP address and netmask for
the docker0 bridge, using standard CIDR notation
type: string
dataRoot:
description: DataRoot is the root directory of persistent docker
state (default "/var/lib/docker")
type: string
defaultRuntime:
description: DefaultRuntime is the default OCI runtime for containers
(default "runc")
type: string
defaultUlimit:
description: DefaultUlimit is the ulimits for containers
items:
type: string
type: array
dns:
description: DNS is the IP address of the DNS server
items:
type: string
type: array
execOpt:
description: ExecOpt is a series of options passed to the runtime
items:
type: string
type: array
execRoot:
description: ExecRoot is the root directory for execution state
files (default "/var/run/docker")
type: string
experimental:
description: Experimental features permits enabling new features
such as dockerd metrics
type: boolean
healthCheck:
description: HealthCheck enables the periodic health-check service
type: boolean
hosts:
description: Hosts enables you to configure the endpoints the
docker daemon listens on i.e. tcp://0.0.0.0.2375 or unix:///var/run/docker.sock
etc
items:
type: string
type: array
insecureRegistries:
description: InsecureRegistries enables multiple insecure docker
registry communications
items:
type: string
type: array
insecureRegistry:
description: InsecureRegistry enable insecure registry communication
@question according to dockers this a list??
type: string
ipMasq:
description: IPMasq enables ip masquerading for containers
type: boolean
ipTables:
description: IPtables enables addition of iptables rules
type: boolean
liveRestore:
description: LiveRestore enables live restore of docker when containers
are still running
type: boolean
logDriver:
description: LogDriver is the default driver for container logs
(default "json-file")
type: string
logLevel:
description: LogLevel is the logging level ("debug", "info", "warn",
"error", "fatal") (default "info")
type: string
logOpt:
description: Logopt is a series of options given to the log driver
options for containers
items:
type: string
type: array
maxConcurrentDownloads:
description: MaxConcurrentDownloads sets the max concurrent downloads
for each pull
format: int32
type: integer
maxConcurrentUploads:
description: MaxConcurrentUploads sets the max concurrent uploads
for each push
format: int32
type: integer
maxDownloadAttempts:
description: MaxDownloadAttempts sets the max download attempts
for each pull
format: int32
type: integer
metricsAddress:
description: Metrics address is the endpoint to serve with Prometheus
format metrics
type: string
mtu:
description: MTU is the containers network MTU
format: int32
type: integer
packages:
description: Packages overrides the URL and hash for the packages.
properties:
hashAmd64:
description: HashAmd64 overrides the hash for the AMD64 package.
type: string
hashArm64:
description: HashArm64 overrides the hash for the ARM64 package.
type: string
urlAmd64:
description: UrlAmd64 overrides the URL for the AMD64 package.
type: string
urlArm64:
description: UrlArm64 overrides the URL for the ARM64 package.
type: string
type: object
registryMirrors:
description: RegistryMirrors is a referred list of docker registry
mirror
items:
type: string
type: array
runtimes:
description: Runtimes registers an additional OCI compatible runtime
(default [])
items:
type: string
type: array
selinuxEnabled:
description: SelinuxEnabled enables SELinux support
type: boolean
skipInstall:
description: SkipInstall when set to true will prevent kops from
installing and modifying Docker in any way
type: boolean
storage:
description: Storage is the docker storage driver to use
type: string
storageOpts:
description: StorageOpts is a series of options passed to the
storage driver
items:
type: string
type: array
userNamespaceRemap:
description: UserNamespaceRemap sets the user namespace remapping
option for the docker daemon
type: string
version:
description: Version is consumed by the nodeup and used to pick
the docker version
type: string
type: object
egressProxy:
description: HTTPProxy defines connection information to support use
of a private cluster behind an forward HTTP Proxy
properties:
excludes:
type: string
httpProxy:
properties:
host:
type: string
port:
type: integer
type: object
type: object
encryptionConfig:
description: EncryptionConfig holds the encryption config
type: boolean
etcdClusters:
description: EtcdClusters stores the configuration for each cluster
items:
description: EtcdClusterSpec is the etcd cluster specification
properties:
backups:
description: Backups describes how we do backups of etcd
properties:
backupStore:
description: BackupStore is the VFS path where we will read/write
backup data
type: string
image:
description: Image is the etcd backup manager image to use. Setting
this will create a sidecar container in the etcd pod with
the specified image.
type: string
type: object
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest specifies the cpu requests of each etcd
container in the cluster.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enableEtcdTLS:
description: EnableEtcdTLS is unused.
type: boolean
enableTLSAuth:
description: EnableTLSAuth is unused.
type: boolean
etcdMembers:
description: Members stores the configurations for each member
of the cluster (including the data volume)
items:
description: EtcdMemberSpec is a specification for a etcd
member
properties:
encryptedVolume:
description: EncryptedVolume indicates you want to encrypt
the volume
type: boolean
instanceGroup:
description: InstanceGroup is the instanceGroup this volume
is associated
type: string
kmsKeyId:
description: KmsKeyID is a AWS KMS ID used to encrypt
the volume
type: string
name:
description: Name is the name of the member within the
etcd cluster
type: string
volumeIops:
description: If volume type is io1, then we need to specify
the number of IOPS.
format: int32
type: integer
volumeSize:
description: VolumeSize is the underlying cloud volume
size
format: int32
type: integer
volumeThroughput:
description: Parameter for disks that support provisioned
throughput
format: int32
type: integer
volumeType:
description: VolumeType is the underlying cloud storage
class
type: string
type: object
type: array
heartbeatInterval:
description: HeartbeatInterval is the time (in milliseconds)
for an etcd heartbeat interval
type: string
image:
description: Image is the etcd docker image to use. Setting
this will ignore the Version specified.
type: string
leaderElectionTimeout:
description: LeaderElectionTimeout is the time (in milliseconds)
for an etcd leader election timeout
type: string
manager:
description: Manager describes the manager configuration
properties:
discoveryPollInterval:
description: DiscoveryPollInterval which is used for discovering
other cluster members. The default is 60 seconds.
type: string
env:
description: Env allows users to pass in env variables to
the etcd-manager container. Variables starting with ETCD_
will be further passed down to the etcd process. This
allows etcd setting to be configured/overwriten. No config
validation is done. A list of etcd config ENV vars can
be found at https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md
items:
description: EnvVar represents an environment variable
present in a Container.
properties:
name:
description: Name of the environment variable. Must
be a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are
expanded using the previous defined environment
variables in the container and any service environment
variables. If a variable cannot be resolved, the
reference in the input string will be unchanged.
The $(VAR_NAME) syntax can be escaped with a double
$$, ie: $$(VAR_NAME). Escaped references will never
be expanded, regardless of whether the variable
exists or not. Defaults to "".'
type: string
required:
- name
type: object
type: array
image:
description: Image is the etcd manager image to use.
type: string
logLevel:
description: LogLevel allows the klog library verbose log
level to be set for etcd-manager. The default is 6. https://github.com/google/glog#verbose-logging
format: int32
type: integer
type: object
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest specifies the memory requests of
each etcd container in the cluster.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
name:
description: Name is the name of the etcd cluster (main, events
etc)
type: string
provider:
description: 'Provider is the provider used to run etcd: Manager,
Legacy. Defaults to Manager.'
type: string
version:
description: Version is the version of etcd to run.
type: string
type: object
type: array
externalDns:
description: ExternalDNSConfig are options of the dns-controller
properties:
disable:
description: Disable indicates we do not wish to run the dns-controller
addon
type: boolean
provider:
description: Provider determines which implementation of ExternalDNS
to use. 'dns-controller' will use kOps DNS Controller. 'external-dns'
will use kubernetes-sigs/external-dns.
type: string
watchIngress:
description: 'WatchIngress indicates you want the dns-controller
to watch and create dns entries for ingress resources. Default:
true if provider is ''external-dns'', false otherwise.'
type: boolean
watchNamespace:
description: WatchNamespace is namespace to watch, defaults to
all (use to control whom can creates dns entries)
type: string
type: object
externalPolicies:
additionalProperties:
items:
type: string
type: array
description: ExternalPolicies allows the insertion of pre-existing
managed policies on IG Roles
type: object
fileAssets:
description: A collection of files assets for deployed cluster wide
items:
description: FileAssetSpec defines the structure for a file asset
properties:
content:
description: Content is the contents of the file
type: string
isBase64:
description: IsBase64 indicates the contents is base64 encoded
type: boolean
mode:
description: Mode is this file's mode and permission bits
type: string
name:
description: Name is a shortened reference to the asset
type: string
path:
description: Path is the location this file should reside
type: string
roles:
description: Roles is a list of roles the file asset should
be applied, defaults to all
items:
description: InstanceGroupRole string describes the roles
of the nodes in this InstanceGroup (master or nodes)
type: string
type: array
type: object
type: array
gossipConfig:
description: GossipConfig for the cluster assuming the use of gossip
DNS
properties:
listen:
type: string
protocol:
type: string
secondary:
properties:
listen:
type: string
protocol:
type: string
secret:
type: string
type: object
secret:
type: string
type: object
hooks:
description: Hooks for custom actions e.g. on first installation
items:
description: HookSpec is a definition hook
properties:
before:
description: Before is a series of systemd units which this
hook must run before
items:
type: string
type: array
disabled:
description: Disabled indicates if you want the unit switched
off
type: boolean
execContainer:
description: ExecContainer is the image itself
properties:
command:
description: Command is the command supplied to the above
image
items:
type: string
type: array
environment:
additionalProperties:
type: string
description: Environment is a map of environment variables
added to the hook
type: object
image:
description: Image is the docker image
type: string
type: object
manifest:
description: Manifest is a raw systemd unit file
type: string
name:
description: Name is an optional name for the hook, otherwise
the name is kops-hook-<index>
type: string
requires:
description: Requires is a series of systemd units the action
requires
items:
type: string
type: array
roles:
description: Roles is an optional list of roles the hook should
be rolled out to, defaults to all
items:
description: InstanceGroupRole string describes the roles
of the nodes in this InstanceGroup (master or nodes)
type: string
type: array
useRawManifest:
description: UseRawManifest indicates that the contents of Manifest
should be used as the contents of the systemd unit, unmodified.
Before and Requires are ignored when used together with this
value (and validation shouldn't allow them to be set)
type: boolean
type: object
type: array
iam:
description: IAM field adds control over the IAM security policies
applied to resources
properties:
allowContainerRegistry:
type: boolean
legacy:
type: boolean
permissionsBoundary:
type: string
serviceAccountExternalPermissions:
description: ServiceAccountExternalPermissions defines the relationship
between Kubernetes ServiceAccounts and permissions with external
resources.
items:
description: ServiceAccountExternalPermissions grants a ServiceAccount
permissions to external resources.
properties:
aws:
description: AWS grants permissions to AWS resources.
properties:
inlinePolicy:
description: InlinePolicy is an IAM Policy that will
be attached inline to the IAM Role.
type: string
policyARNs:
description: PolicyARNs is a list of existing IAM Policies.
items:
type: string
type: array
type: object
name:
description: Name is the name of the Kubernetes ServiceAccount.
type: string
namespace:
description: Namespace is the namespace of the Kubernetes
ServiceAccount.
type: string
required:
- name
- namespace
type: object
type: array
useServiceAccountExternalPermissions:
description: UseServiceAccountExternalPermissions determines if
managed ServiceAccounts will use external permissions directly.
If this is set to false, ServiceAccounts will assume external
permissions from the instances they run on.
type: boolean
required:
- legacy
type: object
isolateMasters:
description: 'IsolateMasters determines whether we should lock down
masters so that they are not on the pod network. true is the kube-up
behaviour, but it is very surprising: it means that daemonsets only
work on the master if they have hostNetwork=true. false is now the
default, and it will: * give the master a normal PodCIDR * run
kube-proxy on the master * enable debugging handlers on the master,
so kubectl logs works'
type: boolean
karpenter:
description: Karpenter defines the Karpenter configuration.
properties:
enabled:
type: boolean
type: object
keyStore:
description: KeyStore is the VFS path to where SSL keys and certificates
are stored
type: string
kubeAPIServer:
description: KubeAPIServerConfig defines the configuration for the
kube api
properties:
address:
description: 'Address is the binding address for the kube api:
Deprecated - use insecure-bind-address and bind-address'
type: string
admissionControl:
description: 'AdmissionControl is a list of admission controllers
to use: Deprecated - use enable-admission-plugins instead'
items:
type: string
type: array
admissionControlConfigFile:
description: AdmissionControlConfigFile is the location of the
admission-control-config-file
type: string
advertiseAddress:
description: AdvertiseAddress is the IP address on which to advertise
the apiserver to members of the cluster.
type: string
allowPrivileged:
description: AllowPrivileged indicates if we can run privileged
containers
type: boolean
anonymousAuth:
description: AnonymousAuth indicates if anonymous authentication
is permitted
type: boolean
apiAudiences:
description: Identifiers of the API. The service account token
authenticator will validate that tokens used against the API
are bound to at least one of these audiences. If the --service-account-issuer
flag is configured and this flag is not, this field defaults
to a single element list containing the issuer URL.
items:
type: string
type: array
apiServerCount:
description: APIServerCount is the number of api servers
format: int32
type: integer
appendAdmissionPlugins:
description: AppendAdmissionPlugins appends list of enabled admission
plugins
items:
type: string
type: array
auditDynamicConfiguration:
description: AuditDynamicConfiguration enables dynamic audit configuration
via AuditSinks
type: boolean
auditLogFormat:
description: AuditLogFormat flag specifies the format type for
audit log files.
type: string
auditLogMaxAge:
description: The maximum number of days to retain old audit log
files based on the timestamp encoded in their filename.
format: int32
type: integer
auditLogMaxBackups:
description: The maximum number of old audit log files to retain.
format: int32
type: integer
auditLogMaxSize:
description: The maximum size in megabytes of the audit log file
before it gets rotated. Defaults to 100MB.
format: int32
type: integer
auditLogPath:
description: If set, all requests coming to the apiserver will
be logged to this file.
type: string
auditPolicyFile:
description: AuditPolicyFile is the full path to a advanced audit
configuration file e.g. /srv/kubernetes/audit.conf
type: string
auditWebhookBatchBufferSize:
description: AuditWebhookBatchBufferSize is The size of the buffer
to store events before batching and writing. Only used in batch
mode. (default 10000)
format: int32
type: integer
auditWebhookBatchMaxSize:
description: AuditWebhookBatchMaxSize is The maximum size of a
batch. Only used in batch mode. (default 400)
format: int32
type: integer
auditWebhookBatchMaxWait:
description: AuditWebhookBatchMaxWait is The amount of time to
wait before force writing the batch that hadn't reached the
max size. Only used in batch mode. (default 30s)
type: string
auditWebhookBatchThrottleBurst:
description: AuditWebhookBatchThrottleBurst is Maximum number
of requests sent at the same moment if ThrottleQPS was not utilized
before. Only used in batch mode. (default 15)
format: int32
type: integer
auditWebhookBatchThrottleEnable:
description: AuditWebhookBatchThrottleEnable is Whether batching
throttling is enabled. Only used in batch mode. (default true)
type: boolean
auditWebhookBatchThrottleQps:
anyOf:
- type: integer
- type: string
description: AuditWebhookBatchThrottleQps is Maximum average number
of batches per second. Only used in batch mode. (default 10)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
auditWebhookConfigFile:
description: AuditWebhookConfigFile is Path to a kubeconfig formatted
file that defines the audit webhook configuration. Requires
the 'AdvancedAuditing' feature gate.
type: string
auditWebhookInitialBackoff:
description: AuditWebhookInitialBackoff is The amount of time
to wait before retrying the first failed request. (default 10s)
type: string
auditWebhookMode:
description: AuditWebhookMode is Strategy for sending audit events.
Blocking indicates sending events should block server responses.
Batch causes the backend to buffer and write events asynchronously.
Known modes are batch,blocking. (default "batch")
type: string
authenticationTokenWebhookCacheTtl:
description: The duration to cache responses from the webhook
token authenticator. Default is 2m. (default 2m0s)
type: string
authenticationTokenWebhookConfigFile:
description: File with webhook configuration for token authentication
in kubeconfig format. The API server will query the remote service
to determine authentication for bearer tokens.
type: string
authorizationMode:
description: AuthorizationMode is the authorization mode the kubeapi
is running in
type: string
authorizationRbacSuperUser:
description: AuthorizationRBACSuperUser is the name of the superuser
for default rbac
type: string
authorizationWebhookCacheAuthorizedTtl:
description: The duration to cache authorized responses from the
webhook token authorizer. Default is 5m. (default 5m0s)
type: string
authorizationWebhookCacheUnauthorizedTtl:
description: The duration to cache authorized responses from the
webhook token authorizer. Default is 30s. (default 30s)
type: string
authorizationWebhookConfigFile:
description: File with webhook configuration for authorization
in kubeconfig format. The API server will query the remote service
to determine whether to authorize the request.
type: string
basicAuthFile:
description: 'TODO: Remove unused BasicAuthFile'
type: string
bindAddress:
description: BindAddress is the binding address for the secure
kubernetes API
type: string
clientCAFile:
description: ClientCAFile is the file used by apisever that contains
the client CA
type: string
cloudProvider:
description: CloudProvider is the name of the cloudProvider we
are using, aws, gce etcd
type: string
corsAllowedOrigins:
description: CorsAllowedOrigins is a list of origins for CORS.
An allowed origin can be a regular expression to support subdomain
matching. If this list is empty CORS will not be enabled.
items:
type: string
type: array
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit, cpu limit compute resource for api server
e.g. "500m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest, cpu request compute resource for api
server. Defaults to "150m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
defaultNotReadyTolerationSeconds:
description: DefaultNotReadyTolerationSeconds
format: int64
type: integer
defaultUnreachableTolerationSeconds:
description: DefaultUnreachableTolerationSeconds
format: int64
type: integer
disableAdmissionPlugins:
description: DisableAdmissionPlugins is a list of disabled admission
plugins
items:
type: string
type: array
disableBasicAuth:
description: DisableBasicAuth removes the --basic-auth-file flag
type: boolean
enableAdmissionPlugins:
description: EnableAdmissionPlugins is a list of enabled admission
plugins
items:
type: string
type: array
enableAggregatorRouting:
description: EnableAggregatorRouting enables aggregator routing
requests to endpoints IP rather than cluster IP
type: boolean
enableBootstrapTokenAuth:
description: EnableBootstrapAuthToken enables 'bootstrap.kubernetes.io/token'
in the 'kube-system' namespace to be used for TLS bootstrapping
authentication
type: boolean
enableProfiling:
description: EnableProfiling enables profiling via web interface
host:port/debug/pprof/
type: boolean
encryptionProviderConfig:
description: EncryptionProviderConfig enables encryption at rest
for secrets.
type: string
etcdCaFile:
description: EtcdCAFile is the path to a ca certificate
type: string
etcdCertFile:
description: EtcdCertFile is the path to a certificate
type: string
etcdKeyFile:
description: EtcdKeyFile is the path to a private key
type: string
etcdQuorumRead:
description: EtcdQuorumRead configures the etcd-quorum-read flag,
which forces consistent reads from etcd
type: boolean
etcdServers:
description: EtcdServers is a list of the etcd service to connect
items:
type: string
type: array
etcdServersOverrides:
description: 'EtcdServersOverrides is per-resource etcd servers
overrides, comma separated. The individual override format:
group/resource#servers, where servers are http://ip:port, semicolon
separated'
items:
type: string
type: array
eventTTL:
description: Amount of time to retain Kubernetes events
type: string
experimentalEncryptionProviderConfig:
description: ExperimentalEncryptionProviderConfig enables encryption
at rest for secrets.
type: string
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
http2MaxStreamsPerConnection:
description: HTTP2MaxStreamsPerConnection sets the limit that
the server gives to clients for the maximum number of streams
in an HTTP/2 connection. Zero means to use golang's default.
format: int32
type: integer
image:
description: Image is the docker container used
type: string
insecureBindAddress:
description: InsecureBindAddress is the binding address for the
InsecurePort for the insecure kubernetes API
type: string
insecurePort:
description: InsecurePort is the port the insecure api runs
format: int32
type: integer
kubeletCertificateAuthority:
description: KubeletCertificateAuthority is the path of a certificate
authority for secure communication between api and kubelet.
type: string
kubeletClientCertificate:
description: KubeletClientCertificate is the path of a certificate
for secure communication between api and kubelet
type: string
kubeletClientKey:
description: KubeletClientKey is the path of a private to secure
communication between api and kubelet
type: string
kubeletPreferredAddressTypes:
description: KubeletPreferredAddressTypes is a list of the preferred
NodeAddressTypes to use for kubelet connections
items:
type: string
type: array
logFormat:
description: 'LogFormat is the logging format of the api. Supported
values: text, json. Default: text'
type: string
logLevel:
description: LogLevel is the logging level of the api
format: int32
type: integer
maxMutatingRequestsInflight:
description: MaxMutatingRequestsInflight The maximum number of
mutating requests in flight at a given time. Defaults to 200
format: int32
type: integer
maxRequestsInflight:
description: MaxRequestsInflight The maximum number of non-mutating
requests in flight at a given time.
format: int32
type: integer
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit, memory limit compute resource for api
server e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest, memory request compute resource for
api server e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
minRequestTimeout:
description: MinRequestTimeout configures the minimum number of
seconds a handler must keep a request open before timing it
out. Currently only honored by the watch request handler
format: int32
type: integer
oidcCAFile:
description: OIDCCAFile if set, the OpenID server's certificate
will be verified by one of the authorities in the oidc-ca-file
type: string
oidcClientID:
description: OIDCClientID is the client ID for the OpenID Connect
client, must be set if oidc-issuer-url is set.
type: string
oidcGroupsClaim:
description: OIDCGroupsClaim if provided, the name of a custom
OpenID Connect claim for specifying user groups. The claim value
is expected to be a string or array of strings.
type: string
oidcGroupsPrefix:
description: OIDCGroupsPrefix is the prefix prepended to group
claims to prevent clashes with existing names (such as 'system:'
groups)
type: string
oidcIssuerURL:
description: OIDCIssuerURL is the URL of the OpenID issuer, only
HTTPS scheme will be accepted. If set, it will be used to verify
the OIDC JSON Web Token (JWT).
type: string
oidcRequiredClaim:
description: A key=value pair that describes a required claim
in the ID Token. If set, the claim is verified to be present
in the ID Token with a matching value. Repeat this flag to specify
multiple claims.
items:
type: string
type: array
oidcUsernameClaim:
description: OIDCUsernameClaim is the OpenID claim to use as the
user name. Note that claims other than the default ('sub') is
not guaranteed to be unique and immutable.
type: string
oidcUsernamePrefix:
description: OIDCUsernamePrefix is the prefix prepended to username
claims to prevent clashes with existing names (such as 'system:'
users).
type: string
proxyClientCertFile:
description: The apiserver's client certificate used for outbound
requests.
type: string
proxyClientKeyFile:
description: The apiserver's client key used for outbound requests.
type: string
requestTimeout:
description: RequestTimeout configures the duration a handler
must keep a request open before timing it out. (default 1m0s)
type: string
requestheaderAllowedNames:
description: List of client certificate common names to allow
to provide usernames in headers specified by --requestheader-username-headers.
If empty, any client certificate validated by the authorities
in --requestheader-client-ca-file is allowed.
items:
type: string
type: array
requestheaderClientCAFile:
description: Root certificate bundle to use to verify client certificates
on incoming requests before trusting usernames in headers specified
by --requestheader-username-headers
type: string
requestheaderExtraHeaderPrefixes:
description: List of request header prefixes to inspect. X-Remote-Extra-
is suggested.
items:
type: string
type: array
requestheaderGroupHeaders:
description: List of request headers to inspect for groups. X-Remote-Group
is suggested.
items:
type: string
type: array
requestheaderUsernameHeaders:
description: List of request headers to inspect for usernames.
X-Remote-User is common.
items:
type: string
type: array
runtimeConfig:
additionalProperties:
type: string
description: RuntimeConfig is a series of keys/values are parsed
into the `--runtime-config` parameters
type: object
securePort:
description: SecurePort is the port the kube runs on
format: int32
type: integer
serviceAccountIssuer:
description: Identifier of the service account token issuer. The
issuer will assert this identifier in "iss" claim of issued
tokens. This value is a string or URI.
type: string
serviceAccountJWKSURI:
description: ServiceAccountJWKSURI overrides the path for the
jwks document; this is useful when we are republishing the service
account discovery information elsewhere.
type: string
serviceAccountKeyFile:
description: File containing PEM-encoded x509 RSA or ECDSA private
or public keys, used to verify ServiceAccount tokens. The specified
file can contain multiple keys, and the flag can be specified
multiple times with different files. If unspecified, --tls-private-key-file
is used.
items:
type: string
type: array
serviceAccountSigningKeyFile:
description: Path to the file that contains the current private
key of the service account token issuer. The issuer will sign
issued ID tokens with this private key. (Requires the 'TokenRequest'
feature gate.)
type: string
serviceClusterIPRange:
description: ServiceClusterIPRange is the service address range
type: string
serviceNodePortRange:
description: Passed as --service-node-port-range to kube-apiserver.
Expects 'startPort-endPort' format e.g. 30000-33000
type: string
storageBackend:
description: StorageBackend is the backend storage
type: string
targetRamMb:
description: Memory limit for apiserver in MB (used to configure
sizes of caches, etc.)
format: int32
type: integer
tlsCertFile:
description: 'TODO: Remove unused TLSCertFile'
type: string
tlsCipherSuites:
description: TLSCipherSuites indicates the allowed TLS cipher
suite
items:
type: string
type: array
tlsMinVersion:
description: TLSMinVersion indicates the minimum TLS version allowed
type: string
tlsPrivateKeyFile:
description: 'TODO: Remove unused TLSPrivateKeyFile'
type: string
tokenAuthFile:
description: 'TODO: Remove unused TokenAuthFile'
type: string
type: object
kubeControllerManager:
description: KubeControllerManagerConfig is the configuration for
the controller
properties:
allocateNodeCIDRs:
description: AllocateNodeCIDRs enables CIDRs for Pods to be allocated
and, if ConfigureCloudRoutes is true, to be set on the cloud
provider.
type: boolean
attachDetachReconcileSyncPeriod:
description: ReconcilerSyncLoopPeriod is the amount of time the
reconciler sync states loop wait between successive executions.
Is set to 1 min by kops by default
type: string
authenticationKubeconfig:
description: AuthenticationKubeconfig is the path to an Authentication
Kubeconfig
type: string
authorizationAlwaysAllowPaths:
description: AuthorizationAlwaysAllowPaths is the list of HTTP
paths to skip during authorization
items:
type: string
type: array
authorizationKubeconfig:
description: AuthorizationKubeconfig is the path to an Authorization
Kubeconfig
type: string
cidrAllocatorType:
description: CIDRAllocatorType specifies the type of CIDR allocator
to use.
type: string
cloudProvider:
description: CloudProvider is the provider for cloud services.
type: string
clusterCIDR:
description: ClusterCIDR is CIDR Range for Pods in cluster.
type: string
clusterName:
description: ClusterName is the instance prefix for the cluster.
type: string
concurrentDeploymentSyncs:
description: The number of deployment objects that are allowed
to sync concurrently.
format: int32
type: integer
concurrentEndpointSyncs:
description: The number of endpoint objects that are allowed to
sync concurrently.
format: int32
type: integer
concurrentNamespaceSyncs:
description: The number of namespace objects that are allowed
to sync concurrently.
format: int32
type: integer
concurrentRcSyncs:
description: The number of replicationcontroller objects that
are allowed to sync concurrently. This only works on kubernetes
>= 1.14
format: int32
type: integer
concurrentReplicasetSyncs:
description: The number of replicaset objects that are allowed
to sync concurrently.
format: int32
type: integer
concurrentResourceQuotaSyncs:
description: The number of resourcequota objects that are allowed
to sync concurrently.
format: int32
type: integer
concurrentServiceSyncs:
description: The number of service objects that are allowed to
sync concurrently.
format: int32
type: integer
concurrentServiceaccountTokenSyncs:
description: The number of serviceaccount objects that are allowed
to sync concurrently to create tokens.
format: int32
type: integer
configureCloudRoutes:
description: ConfigureCloudRoutes enables CIDRs allocated with
to be configured on the cloud provider.
type: boolean
controllers:
description: Controllers is a list of controllers to enable on
the controller-manager
items:
type: string
type: array
disableAttachDetachReconcileSync:
description: DisableAttachDetachReconcileSync disables the reconcile
sync loop in the attach-detach controller. This can cause volumes
to become mismatched with pods
type: boolean
enableLeaderMigration:
description: EnableLeaderMigration enables controller leader migration.
type: boolean
enableProfiling:
description: EnableProfiling enables profiling via web interface
host:port/debug/pprof/
type: boolean
experimentalClusterSigningDuration:
description: ExperimentalClusterSigningDuration is the duration
that determines the length of duration that the signed certificates
will be given. (default 8760h0m0s)
type: string
externalCloudVolumePlugin:
description: ExternalCloudVolumePlugin is a fallback mechanism
that allows a legacy, in-tree cloudprovider to be used for volume
plugins even when an external cloud controller manager is being
used. This can be used instead of installing CSI. The value
should be the same as is used for the --cloud-provider flag,
i.e. "aws".
type: string
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
horizontalPodAutoscalerCpuInitializationPeriod:
description: HorizontalPodAutoscalerCPUInitializationPeriod is
the period after pod start when CPU samples might be skipped.
(default 5m)
type: string
horizontalPodAutoscalerDownscaleDelay:
description: HorizontalPodAutoscalerDownscaleDelay is a duration
that specifies how long the autoscaler has to wait before another
downscale operation can be performed after the current one has
completed.
type: string
horizontalPodAutoscalerDownscaleStabilization:
description: HorizontalPodAutoscalerDownscaleStabilization is
the period for which autoscaler will look backwards and not
scale down below any recommendation it made during that period.
type: string
horizontalPodAutoscalerInitialReadinessDelay:
description: HorizontalPodAutoscalerInitialReadinessDelay is the
period after pod start during which readiness changes will be
treated as initial readiness. (default 30s)
type: string
horizontalPodAutoscalerSyncPeriod:
description: HorizontalPodAutoscalerSyncPeriod is the amount of
time between syncs During each period, the controller manager
queries the resource utilization against the metrics specified
in each HorizontalPodAutoscaler definition.
type: string
horizontalPodAutoscalerTolerance:
anyOf:
- type: integer
- type: string
description: HorizontalPodAutoscalerTolerance is the minimum change
(from 1.0) in the desired-to-actual metrics ratio for the horizontal
pod autoscaler to consider scaling.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
horizontalPodAutoscalerUpscaleDelay:
description: HorizontalPodAutoscalerUpscaleDelay is a duration
that specifies how long the autoscaler has to wait before another
upscale operation can be performed after the current one has
completed.
type: string
horizontalPodAutoscalerUseRestClients:
description: HorizontalPodAutoscalerUseRestClients determines
if the new-style clients should be used if support for custom
metrics is enabled.
type: boolean
image:
description: Image is the docker image to use
type: string
kubeAPIBurst:
description: KubeAPIBurst Burst to use while talking with kubernetes
apiserver. (default 30)
format: int32
type: integer
kubeAPIQPS:
anyOf:
- type: integer
- type: string
description: KubeAPIQPS QPS to use while talking with kubernetes
apiserver. (default 20)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
leaderElection:
description: LeaderElection defines the configuration of leader
election client.
properties:
leaderElect:
description: leaderElect enables a leader election client
to gain leadership before executing the main loop. Enable
this when running replicated components for high availability.
type: boolean
leaderElectLeaseDuration:
description: leaderElectLeaseDuration is the length in time
non-leader candidates will wait after observing a leadership
renewal until attempting to acquire leadership of a led
but unrenewed leader slot. This is effectively the maximum
duration that a leader can be stopped before it is replaced
by another candidate
type: string
leaderElectRenewDeadlineDuration:
description: LeaderElectRenewDeadlineDuration is the interval
between attempts by the acting master to renew a leadership
slot before it stops leading. This must be less than or
equal to the lease duration.
type: string
leaderElectResourceLock:
description: LeaderElectResourceLock is the type of resource
object that is used for locking during leader election.
Supported options are endpoints (default) and `configmaps`.
type: string
leaderElectResourceName:
description: LeaderElectResourceName is the name of resource
object that is used for locking during leader election.
type: string
leaderElectResourceNamespace:
description: LeaderElectResourceNamespace is the namespace
of resource object that is used for locking during leader
election.
type: string
leaderElectRetryPeriod:
description: LeaderElectRetryPeriod is The duration the clients
should wait between attempting acquisition and renewal of
a leadership. This is only applicable if leader election
is enabled.
type: string
type: object
logFormat:
description: 'LogFormat is the logging format of the controler
manager. Supported values: text, json. Default: text'
type: string
logLevel:
description: LogLevel is the defined logLevel
format: int32
type: integer
master:
description: Master is the url for the kube api master
type: string
minResyncPeriod:
description: MinResyncPeriod indicates the resync period in reflectors.
The resync period will be random between MinResyncPeriod and
2*MinResyncPeriod. (default 12h0m0s)
type: string
nodeCIDRMaskSize:
description: NodeCIDRMaskSize set the size for the mask of the
nodes.
format: int32
type: integer
nodeMonitorGracePeriod:
description: NodeMonitorGracePeriod is the amount of time which
we allow running Node to be unresponsive before marking it unhealthy.
(default 40s) Must be N-1 times more than kubelet's nodeStatusUpdateFrequency,
where N means number of retries allowed for kubelet to post
node status.
type: string
nodeMonitorPeriod:
description: NodeMonitorPeriod is the period for syncing NodeStatus
in NodeController. (default 5s)
type: string
podEvictionTimeout:
description: PodEvictionTimeout is the grace period for deleting
pods on failed nodes. (default 5m0s)
type: string
rootCAFile:
description: rootCAFile is the root certificate authority will
be included in service account's token secret. This must be
a valid PEM-encoded CA bundle.
type: string
serviceAccountPrivateKeyFile:
description: ServiceAccountPrivateKeyFile is the location of the
private key for service account token signing.
type: string
terminatedPodGCThreshold:
description: TerminatedPodGCThreshold is the number of terminated
pods that can exist before the terminated pod garbage collector
starts deleting terminated pods. If <= 0, the terminated pod
garbage collector is disabled.
format: int32
type: integer
tlsCertFile:
description: TLSCertFile is the file containing the TLS server
certificate.
type: string
tlsCipherSuites:
description: TLSCipherSuites indicates the allowed TLS cipher
suite
items:
type: string
type: array
tlsMinVersion:
description: TLSMinVersion indicates the minimum TLS version allowed
type: string
tlsPrivateKeyFile:
description: TLSPrivateKeyFile is the file containing the private
key for the TLS server certificate.
type: string
useServiceAccountCredentials:
description: UseServiceAccountCredentials controls whether we
use individual service account credentials for each controller.
type: boolean
type: object
kubeDNS:
description: KubeDNSConfig defines the kube dns configuration
properties:
affinity:
description: Affinity is the kube-dns affinity, uses the same
syntax as kubectl's affinity
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for
the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods
to nodes that satisfy the affinity expressions specified
by this field, but it may choose a node that violates
one or more of the expressions. The node that is most
preferred is the one with the greatest sum of weights,
i.e. for each node that meets all of the scheduling
requirements (resource request, requiredDuringScheduling
affinity expressions, etc.), compute a sum by iterating
through the elements of this field and adding "weight"
to the sum if the node matches the corresponding matchExpressions;
the node(s) with the highest sum are the most preferred.
items:
description: An empty preferred scheduling term matches
all objects with implicit weight 0 (i.e. it's a no-op).
A null preferred scheduling term matches no objects
(i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated with
the corresponding weight.
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
items:
description: A node selector requirement is
a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators
are In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of string values.
If the operator is In or NotIn, the
values array must be non-empty. If the
operator is Exists or DoesNotExist,
the values array must be empty. If the
operator is Gt or Lt, the values array
must have a single element, which will
be interpreted as an integer. This array
is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements
by node's fields.
items:
description: A node selector requirement is
a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators
are In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of string values.
If the operator is In or NotIn, the
values array must be non-empty. If the
operator is Exists or DoesNotExist,
the values array must be empty. If the
operator is Gt or Lt, the values array
must have a single element, which will
be interpreted as an integer. This array
is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
description: Weight associated with matching the
corresponding nodeSelectorTerm, in the range 1-100.
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by
this field are not met at scheduling time, the pod will
not be scheduled onto the node. If the affinity requirements
specified by this field cease to be met at some point
during pod execution (e.g. due to an update), the system
may or may not try to eventually evict the pod from
its node.
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms.
The terms are ORed.
items:
description: A null or empty node selector term
matches no objects. The requirements of them are
ANDed. The TopologySelectorTerm type implements
a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
items:
description: A node selector requirement is
a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators
are In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of string values.
If the operator is In or NotIn, the
values array must be non-empty. If the
operator is Exists or DoesNotExist,
the values array must be empty. If the
operator is Gt or Lt, the values array
must have a single element, which will
be interpreted as an integer. This array
is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements
by node's fields.
items:
description: A node selector requirement is
a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators
are In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of string values.
If the operator is In or NotIn, the
values array must be non-empty. If the
operator is Exists or DoesNotExist,
the values array must be empty. If the
operator is Gt or Lt, the values array
must have a single element, which will
be interpreted as an integer. This array
is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
description: Describes pod affinity scheduling rules (e.g.
co-locate this pod in the same node, zone, etc. as some
other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods
to nodes that satisfy the affinity expressions specified
by this field, but it may choose a node that violates
one or more of the expressions. The node that is most
preferred is the one with the greatest sum of weights,
i.e. for each node that meets all of the scheduling
requirements (resource request, requiredDuringScheduling
affinity expressions, etc.), compute a sum by iterating
through the elements of this field and adding "weight"
to the sum if the node has pods which matches the corresponding
podAffinityTerm; the node(s) with the highest sum are
the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred
node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: A label selector requirement
is a selector that contains values,
a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: operator represents a
key's relationship to a set of values.
Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of
string values. If the operator is
In or NotIn, the values array must
be non-empty. If the operator is
Exists or DoesNotExist, the values
array must be empty. This array
is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator
is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label query over the set of namespaces
that the term applies to. The term is applied
to the union of the namespaces selected by
this field and the ones listed in the namespaces
field. null selector and null or empty namespaces
list means "this pod's namespace". An empty
selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: A label selector requirement
is a selector that contains values,
a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: operator represents a
key's relationship to a set of values.
Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of
string values. If the operator is
In or NotIn, the values array must
be non-empty. If the operator is
Exists or DoesNotExist, the values
array must be empty. This array
is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator
is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies a static list
of namespace names that the term applies to.
The term is applied to the union of the namespaces
listed in this field and the ones selected
by namespaceSelector. null or empty namespaces
list and null namespaceSelector means "this
pod's namespace".
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the
pods matching the labelSelector in the specified
namespaces, where co-located is defined as
running on a node whose value of the label
with key topologyKey matches that of any node
on which any of the selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the
corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by
this field are not met at scheduling time, the pod will
not be scheduled onto the node. If the affinity requirements
specified by this field cease to be met at some point
during pod execution (e.g. due to a pod label update),
the system may or may not try to eventually evict the
pod from its node. When there are multiple elements,
the lists of nodes corresponding to each podAffinityTerm
are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching
the labelSelector relative to the given namespace(s))
that this pod should be co-located (affinity) or not
co-located (anti-affinity) with, where co-located
is defined as running on a node whose value of the
label with key <topologyKey> matches that of any node
on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label query over the set of namespaces
that the term applies to. The term is applied
to the union of the namespaces selected by this
field and the ones listed in the namespaces field.
null selector and null or empty namespaces list
means "this pod's namespace". An empty selector
({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies a static list
of namespace names that the term applies to. The
term is applied to the union of the namespaces
listed in this field and the ones selected by
namespaceSelector. null or empty namespaces list
and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods
matching the labelSelector in the specified namespaces,
where co-located is defined as running on a node
whose value of the label with key topologyKey
matches that of any node on which any of the selected
pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules
(e.g. avoid putting this pod in the same node, zone, etc.
as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods
to nodes that satisfy the anti-affinity expressions
specified by this field, but it may choose a node that
violates one or more of the expressions. The node that
is most preferred is the one with the greatest sum of
weights, i.e. for each node that meets all of the scheduling
requirements (resource request, requiredDuringScheduling
anti-affinity expressions, etc.), compute a sum by iterating
through the elements of this field and adding "weight"
to the sum if the node has pods which matches the corresponding
podAffinityTerm; the node(s) with the highest sum are
the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred
node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: A label selector requirement
is a selector that contains values,
a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: operator represents a
key's relationship to a set of values.
Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of
string values. If the operator is
In or NotIn, the values array must
be non-empty. If the operator is
Exists or DoesNotExist, the values
array must be empty. This array
is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator
is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label query over the set of namespaces
that the term applies to. The term is applied
to the union of the namespaces selected by
this field and the ones listed in the namespaces
field. null selector and null or empty namespaces
list means "this pod's namespace". An empty
selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: A label selector requirement
is a selector that contains values,
a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: operator represents a
key's relationship to a set of values.
Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of
string values. If the operator is
In or NotIn, the values array must
be non-empty. If the operator is
Exists or DoesNotExist, the values
array must be empty. This array
is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator
is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies a static list
of namespace names that the term applies to.
The term is applied to the union of the namespaces
listed in this field and the ones selected
by namespaceSelector. null or empty namespaces
list and null namespaceSelector means "this
pod's namespace".
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the
pods matching the labelSelector in the specified
namespaces, where co-located is defined as
running on a node whose value of the label
with key topologyKey matches that of any node
on which any of the selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the
corresponding podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements specified
by this field are not met at scheduling time, the pod
will not be scheduled onto the node. If the anti-affinity
requirements specified by this field cease to be met
at some point during pod execution (e.g. due to a pod
label update), the system may or may not try to eventually
evict the pod from its node. When there are multiple
elements, the lists of nodes corresponding to each podAffinityTerm
are intersected, i.e. all terms must be satisfied.
items:
description: Defines a set of pods (namely those matching
the labelSelector relative to the given namespace(s))
that this pod should be co-located (affinity) or not
co-located (anti-affinity) with, where co-located
is defined as running on a node whose value of the
label with key <topologyKey> matches that of any node
on which a pod of the set of pods is running
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label query over the set of namespaces
that the term applies to. The term is applied
to the union of the namespaces selected by this
field and the ones listed in the namespaces field.
null selector and null or empty namespaces list
means "this pod's namespace". An empty selector
({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement
is a selector that contains values, a key,
and an operator that relates the key and
values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty.
If the operator is Exists or DoesNotExist,
the values array must be empty. This
array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is
"In", and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies a static list
of namespace names that the term applies to. The
term is applied to the union of the namespaces
listed in this field and the ones selected by
namespaceSelector. null or empty namespaces list
and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods
matching the labelSelector in the specified namespaces,
where co-located is defined as running on a node
whose value of the label with key topologyKey
matches that of any node on which any of the selected
pods is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
cacheMaxConcurrent:
description: CacheMaxConcurrent is the maximum number of concurrent
queries for dnsmasq
type: integer
cacheMaxSize:
description: CacheMaxSize is the maximum entries to keep in dnsmasq
type: integer
coreDNSImage:
description: CoreDNSImage is used to override the default image
used for CoreDNS
type: string
cpaImage:
description: CPAImage is used to override the default image used
for Cluster Proportional Autoscaler
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest specifies the cpu requests of each dns
container in the cluster. Default 100m.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
domain:
description: Domain is the dns domain
type: string
externalCoreFile:
description: ExternalCoreFile is used to provide a complete CoreDNS
CoreFile by the user - ignores other provided flags which modify
the CoreFile.
type: string
image:
description: Image is unused.
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit specifies the memory limit of each dns
container in the cluster. Default 170m.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest specifies the memory requests of each
dns container in the cluster. Default 70m.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
nodeLocalDNS:
description: NodeLocalDNS specifies the configuration for the
node-local-dns addon
properties:
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest specifies the cpu requests of each
node-local-dns container in the daemonset. Default 25m.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enabled:
description: Enabled activates the node-local-dns addon.
type: boolean
forwardToKubeDNS:
description: If enabled, nodelocal dns will use kubedns as
a default upstream
type: boolean
image:
description: Image overrides the default docker image used
for node-local-dns addon.
type: string
localIP:
description: Local listen IP address. It can be any IP in
the 169.254.20.0/16 space or any other IP address that can
be guaranteed to not collide with any existing IP.
type: string
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest specifies the memory requests of
each node-local-dns container in the daemonset. Default
5Mi.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
podAnnotations:
additionalProperties:
type: string
description: 'PodAnnotations makes possible to add additional
annotations to node-local-dns. Default: none'
type: object
type: object
provider:
description: Provider indicates whether CoreDNS or kube-dns will
be the default service discovery.
type: string
replicas:
description: Replicas is unused.
type: integer
serverIP:
description: ServerIP is the server ip
type: string
stubDomains:
additionalProperties:
items:
type: string
type: array
description: StubDomains redirects a domains to another DNS service
type: object
tolerations:
description: "Tolerations\tare tolerations to apply to the kube-dns
deployment"
items:
description: The pod this Toleration is attached to tolerates
any taint that matches the triple <key,value,effect> using
the matching operator <operator>.
properties:
effect:
description: Effect indicates the taint effect to match.
Empty means match all taint effects. When specified, allowed
values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies
to. Empty means match all taint keys. If the key is empty,
operator must be Exists; this combination means to match
all values and all keys.
type: string
operator:
description: Operator represents a key's relationship to
the value. Valid operators are Exists and Equal. Defaults
to Equal. Exists is equivalent to wildcard for value,
so that a pod can tolerate all taints of a particular
category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of
time the toleration (which must be of effect NoExecute,
otherwise this field is ignored) tolerates the taint.
By default, it is not set, which means tolerate the taint
forever (do not evict). Zero and negative values will
be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches
to. If the operator is Exists, the value should be empty,
otherwise just a regular string.
type: string
type: object
type: array
upstreamNameservers:
description: UpstreamNameservers sets the upstream nameservers
for queries not on the cluster domain
items:
type: string
type: array
type: object
kubeProxy:
description: KubeProxyConfig defines the configuration for a proxy
properties:
bindAddress:
description: BindAddress is IP address for the proxy server to
serve on
type: string
clusterCIDR:
description: ClusterCIDR is the CIDR range of the pods in the
cluster
type: string
conntrackMaxPerCore:
description: 'Maximum number of NAT connections to track per CPU
core (default: 131072)'
format: int32
type: integer
conntrackMin:
description: Minimum number of conntrack entries to allocate,
regardless of conntrack-max-per-core
format: int32
type: integer
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit, cpu limit compute resource for kube proxy
e.g. "30m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest, cpu request compute resource for kube
proxy e.g. "20m"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enabled:
description: Enabled allows enabling or disabling kube-proxy
type: boolean
featureGates:
additionalProperties:
type: string
description: FeatureGates is a series of key pairs used to switch
on features for the proxy
type: object
hostnameOverride:
description: HostnameOverride, if non-empty, will be used as the
identity instead of the actual hostname.
type: string
image:
type: string
ipvsExcludeCidrs:
description: IPVSExcludeCIDRs is comma-separated list of CIDR's
which the ipvs proxier should not touch when cleaning up IPVS
rules
items:
type: string
type: array
ipvsMinSyncPeriod:
description: IPVSMinSyncPeriod is the minimum interval of how
often the ipvs rules can be refreshed as endpoints and services
change (e.g. '5s', '1m', '2h22m')
type: string
ipvsScheduler:
description: IPVSScheduler is the ipvs scheduler type when proxy
mode is ipvs
type: string
ipvsSyncPeriod:
description: IPVSSyncPeriod duration is the maximum interval of
how often ipvs rules are refreshed
type: string
logLevel:
description: LogLevel is the logging level of the proxy
format: int32
type: integer
master:
description: Master is the address of the Kubernetes API server
(overrides any value in kubeconfig)
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit, memory limit compute resource for kube
proxy e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest, memory request compute resource for
kube proxy e.g. "30Mi"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
metricsBindAddress:
description: MetricsBindAddress is the IP address for the metrics
server to serve on
type: string
proxyMode:
description: 'Which proxy mode to use: (userspace, iptables, ipvs)'
type: string
type: object
kubeScheduler:
description: KubeSchedulerConfig is the configuration for the kube-scheduler
properties:
authenticationKubeconfig:
description: AuthenticationKubeconfig is the path to an Authentication
Kubeconfig
type: string
authorizationAlwaysAllowPaths:
description: AuthorizationAlwaysAllowPaths is the list of HTTP
paths to skip during authorization
items:
type: string
type: array
authorizationKubeconfig:
description: AuthorizationKubeconfig is the path to an Authorization
Kubeconfig
type: string
burst:
description: Burst sets the maximum qps to send to apiserver after
the burst quota is exhausted
format: int32
type: integer
enableProfiling:
description: EnableProfiling enables profiling via web interface
host:port/debug/pprof/
type: boolean
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
image:
description: Image is the docker image to use
type: string
leaderElection:
description: LeaderElection defines the configuration of leader
election client.
properties:
leaderElect:
description: leaderElect enables a leader election client
to gain leadership before executing the main loop. Enable
this when running replicated components for high availability.
type: boolean
leaderElectLeaseDuration:
description: leaderElectLeaseDuration is the length in time
non-leader candidates will wait after observing a leadership
renewal until attempting to acquire leadership of a led
but unrenewed leader slot. This is effectively the maximum
duration that a leader can be stopped before it is replaced
by another candidate
type: string
leaderElectRenewDeadlineDuration:
description: LeaderElectRenewDeadlineDuration is the interval
between attempts by the acting master to renew a leadership
slot before it stops leading. This must be less than or
equal to the lease duration.
type: string
leaderElectResourceLock:
description: LeaderElectResourceLock is the type of resource
object that is used for locking during leader election.
Supported options are endpoints (default) and `configmaps`.
type: string
leaderElectResourceName:
description: LeaderElectResourceName is the name of resource
object that is used for locking during leader election.
type: string
leaderElectResourceNamespace:
description: LeaderElectResourceNamespace is the namespace
of resource object that is used for locking during leader
election.
type: string
leaderElectRetryPeriod:
description: LeaderElectRetryPeriod is The duration the clients
should wait between attempting acquisition and renewal of
a leadership. This is only applicable if leader election
is enabled.
type: string
type: object
logFormat:
description: 'LogFormat is the logging format of the scheduler.
Supported values: text, json. Default: text'
type: string
logLevel:
description: LogLevel is the logging level
format: int32
type: integer
master:
description: Master is a url to the kube master
type: string
maxPersistentVolumes:
description: 'MaxPersistentVolumes changes the maximum number
of persistent volumes the scheduler will scheduler onto the
same node. Only takes effect if value is positive. This corresponds
to the KUBE_MAX_PD_VOLS environment variable. The default depends
on the version and the cloud provider as outlined: https://kubernetes.io/docs/concepts/storage/storage-limits/'
format: int32
type: integer
qps:
anyOf:
- type: integer
- type: string
description: Qps sets the maximum qps to send to apiserver after
the burst quota is exhausted
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
tlsCertFile:
description: TLSCertFile is the file containing the TLS server
certificate.
type: string
tlsPrivateKeyFile:
description: TLSPrivateKeyFile is the file containing the private
key for the TLS server certificate.
type: string
usePolicyConfigMap:
description: UsePolicyConfigMap enable setting the scheduler policy
from a configmap
type: boolean
type: object
kubelet:
description: KubeletConfigSpec defines the kubelet configuration
properties:
allowPrivileged:
description: AllowPrivileged enables containers to request privileged
mode (defaults to false)
type: boolean
allowedUnsafeSysctls:
description: AllowedUnsafeSysctls are passed to the kubelet config
to whitelist allowable sysctls
items:
type: string
type: array
anonymousAuth:
description: AnonymousAuth permits you to control auth to the
kubelet api
type: boolean
apiServers:
description: APIServers is not used for clusters version 1.6 and
later - flag removed
type: string
authenticationTokenWebhook:
description: AuthenticationTokenWebhook uses the TokenReview API
to determine authentication for bearer tokens.
type: boolean
authenticationTokenWebhookCacheTtl:
description: AuthenticationTokenWebhook sets the duration to cache
responses from the webhook token authenticator. Default is 2m.
(default 2m0s)
type: string
authorizationMode:
description: AuthorizationMode is the authorization mode the kubelet
is running in
type: string
babysitDaemons:
description: The node has babysitter process monitoring docker
and kubelet. Removed as of 1.7
type: boolean
bootstrapKubeconfig:
description: BootstrapKubeconfig is the path to a kubeconfig file
that will be used to get client certificate for kubelet
type: string
cgroupDriver:
description: CgroupDriver allows the explicit setting of the kubelet
cgroup driver. If omitted, defaults to cgroupfs.
type: string
cgroupRoot:
description: cgroupRoot is the root cgroup to use for pods. This
is handled by the container runtime on a best effort basis.
type: string
clientCaFile:
description: ClientCAFile is the path to a CA certificate
type: string
cloudProvider:
description: CloudProvider is the provider for cloud services.
type: string
clusterDNS:
description: ClusterDNS is the IP address for a cluster DNS server
type: string
clusterDomain:
description: ClusterDomain is the DNS domain for this cluster
type: string
configureCbr0:
description: configureCBR0 enables the kubelet to configure cbr0
based on Node.Spec.PodCIDR.
type: boolean
containerLogMaxFiles:
description: ContainerLogMaxFiles is the maximum number of container
log files that can be present for a container. The number must
be >= 2.
format: int32
type: integer
containerLogMaxSize:
description: ContainerLogMaxSize is the maximum size (e.g. 10Mi)
of container log file before it is rotated.
type: string
cpuCFSQuota:
description: CPUCFSQuota enables CPU CFS quota enforcement for
containers that specify CPU limits
type: boolean
cpuCFSQuotaPeriod:
description: CPUCFSQuotaPeriod sets CPU CFS quota period value,
cpu.cfs_period_us, defaults to Linux Kernel default
type: string
cpuManagerPolicy:
description: CpuManagerPolicy allows for changing the default
policy of None to static
type: string
dockerDisableSharedPID:
description: DockerDisableSharedPID uses a shared PID namespace
for containers in a pod.
type: boolean
enableCadvisorJsonEndpoints:
description: EnableCadvisorJsonEndpoints enables cAdvisor json
`/spec` and `/stats/*` endpoints. Defaults to False.
type: boolean
enableCustomMetrics:
description: Enable gathering custom metrics.
type: boolean
enableDebuggingHandlers:
description: EnableDebuggingHandlers enables server endpoints
for log collection and local running of containers and commands
type: boolean
enforceNodeAllocatable:
description: Enforce Allocatable across pods whenever the overall
usage across all pods exceeds Allocatable.
type: string
eventBurst:
description: EventBurst temporarily allows event records to burst
to this number, while still not exceeding EventQPS. Only used
if EventQPS > 0.
format: int32
type: integer
eventQPS:
description: EventQPS if > 0, limit event creations per second
to this value. If 0, unlimited.
format: int32
type: integer
evictionHard:
description: Comma-delimited list of hard eviction expressions. For
example, 'memory.available<300Mi'.
type: string
evictionMaxPodGracePeriod:
description: Maximum allowed grace period (in seconds) to use
when terminating pods in response to a soft eviction threshold
being met.
format: int32
type: integer
evictionMinimumReclaim:
description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi)
that describes the minimum amount of resource the kubelet will
reclaim when performing a pod eviction if that resource is under
pressure.
type: string
evictionPressureTransitionPeriod:
description: Duration for which the kubelet has to wait before
transitioning out of an eviction pressure condition.
type: string
evictionSoft:
description: Comma-delimited list of soft eviction expressions. For
example, 'memory.available<300Mi'.
type: string
evictionSoftGracePeriod:
description: Comma-delimited list of grace periods for each soft
eviction signal. For example, 'memory.available=30s'.
type: string
experimentalAllowedUnsafeSysctls:
description: ExperimentalAllowedUnsafeSysctls are passed to the
kubelet config to whitelist allowable sysctls Was promoted to
beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717
items:
type: string
type: array
failSwapOn:
description: Tells the Kubelet to fail to start if swap is enabled
on the node.
type: boolean
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
hairpinMode:
description: 'How should the kubelet configure the container bridge
for hairpin packets. Setting this flag allows endpoints in a
Service to loadbalance back to themselves if they should try
to access their own Service. Values: "promiscuous-bridge":
make the container bridge promiscuous. "hairpin-veth": set
the hairpin flag on container veth interfaces. "none": do
nothing. Setting --configure-cbr0 to false implies that to achieve
hairpin NAT one must set --hairpin-mode=veth-flag, because bridge
assumes the existence of a container bridge named cbr0.'
type: string
hostnameOverride:
description: HostnameOverride is the hostname used to identify
the kubelet instead of the actual hostname.
type: string
housekeepingInterval:
description: HousekeepingInterval allows to specify interval between
container housekeepings.
type: string
imageGCHighThresholdPercent:
description: ImageGCHighThresholdPercent is the percent of disk
usage after which image garbage collection is always run.
format: int32
type: integer
imageGCLowThresholdPercent:
description: ImageGCLowThresholdPercent is the percent of disk
usage before which image garbage collection is never run. Lowest
disk usage to garbage collect to.
format: int32
type: integer
imagePullProgressDeadline:
description: ImagePullProgressDeadline is the timeout for image
pulls If no pulling progress is made before this deadline, the
image pulling will be cancelled. (default 1m0s)
type: string
kernelMemcgNotification:
description: Integrate with the kernel memcg notification to determine
if memory eviction thresholds are crossed rather than polling.
type: boolean
kubeReserved:
additionalProperties:
type: string
description: Resource reservation for kubernetes system daemons
like the kubelet, container runtime, node problem detector,
etc.
type: object
kubeReservedCgroup:
description: Control group for kube daemons.
type: string
kubeconfigPath:
description: KubeconfigPath is the path of kubeconfig for the
kubelet
type: string
kubeletCgroups:
description: KubeletCgroups is the absolute name of cgroups to
isolate the kubelet in.
type: string
logFormat:
description: 'LogFormat is the logging format of the kubelet.
Supported values: text, json. Default: text'
type: string
logLevel:
description: LogLevel is the logging level of the kubelet
format: int32
type: integer
maxPods:
description: MaxPods is the number of pods that can run on this
Kubelet.
format: int32
type: integer
networkPluginMTU:
description: NetworkPluginMTU is the MTU to be passed to the network
plugin, and overrides the default MTU for cases where it cannot
be automatically computed (such as IPSEC).
format: int32
type: integer
networkPluginName:
description: NetworkPluginName is the name of the network plugin
to be invoked for various events in kubelet/pod lifecycle
type: string
nodeLabels:
additionalProperties:
type: string
description: NodeLabels to add when registering the node in the
cluster.
type: object
nodeStatusUpdateFrequency:
description: NodeStatusUpdateFrequency Specifies how often kubelet
posts node status to master (default 10s) must work with nodeMonitorGracePeriod
in KubeControllerManagerConfig.
type: string
nonMasqueradeCIDR:
description: 'NonMasqueradeCIDR configures masquerading: traffic
to IPs outside this range will use IP masquerade.'
type: string
nvidiaGPUs:
description: NvidiaGPUs is the number of NVIDIA GPU devices on
this node.
format: int32
type: integer
podCIDR:
description: PodCIDR is the CIDR to use for pod IP addresses,
only used in standalone mode. In cluster mode, this is obtained
from the master.
type: string
podInfraContainerImage:
description: PodInfraContainerImage is the image whose network/ipc
containers in each pod will use.
type: string
podManifestPath:
description: config is the path to the config file or directory
of files
type: string
podPidsLimit:
description: PodPidsLimit is the maximum number of pids in any
pod.
format: int64
type: integer
protectKernelDefaults:
description: 'Default kubelet behaviour for kernel tuning. If
set, kubelet errors if any of kernel tunables is different than
kubelet defaults. (DEPRECATED: This parameter should be set
via the config file specified by the Kubelet''s --config flag.'
type: boolean
readOnlyPort:
description: ReadOnlyPort is the port used by the kubelet api
for read-only access (default 10255)
format: int32
type: integer
reconcileCIDR:
description: ReconcileCIDR is Reconcile node CIDR with the CIDR
specified by the API server. No-op if register-node or configure-cbr0
is false.
type: boolean
registerNode:
description: RegisterNode enables automatic registration with
the apiserver.
type: boolean
registerSchedulable:
description: registerSchedulable tells the kubelet to register
the node as schedulable. No-op if register-node is false.
type: boolean
registryBurst:
description: RegistryBurst Maximum size of a bursty pulls, temporarily
allows pulls to burst to this number, while still not exceeding
registry-qps. Only used if --registry-qps > 0 (default 10)
format: int32
type: integer
registryPullQPS:
description: RegistryPullQPS if > 0, limit registry pull QPS to
this value. If 0, unlimited. (default 5)
format: int32
type: integer
requireKubeconfig:
description: RequireKubeconfig indicates a kubeconfig is required
type: boolean
resolvConf:
description: ResolverConfig is the resolver configuration file
used as the basis for the container DNS resolution configuration."),
[]
type: string
rootDir:
description: RootDir is the directory path for managing kubelet
files (volume mounts,etc)
type: string
rotateCertificates:
description: rotateCertificates enables client certificate rotation.
type: boolean
runtimeCgroups:
description: Cgroups that container runtime is expected to be
isolated in.
type: string
runtimeRequestTimeout:
description: RuntimeRequestTimeout is timeout for runtime requests
on - pull, logs, exec and attach
type: string
seccompProfileRoot:
description: SeccompProfileRoot is the directory path for seccomp
profiles.
type: string
serializeImagePulls:
description: '// SerializeImagePulls when enabled, tells the Kubelet
to pull images one // at a time. We recommend *not* changing
the default value on nodes that // run docker daemon with version <
1.9 or an Aufs storage backend. // Issue #10959 has more details.'
type: boolean
shutdownGracePeriod:
description: 'ShutdownGracePeriod specifies the total duration
that the node should delay the shutdown by. Default: 30s'
type: string
shutdownGracePeriodCriticalPods:
description: 'ShutdownGracePeriodCriticalPods specifies the duration
used to terminate critical pods during a node shutdown. Default:
10s'
type: string
streamingConnectionIdleTimeout:
description: StreamingConnectionIdleTimeout is the maximum time
a streaming connection can be idle before the connection is
automatically closed
type: string
systemCgroups:
description: SystemCgroups is absolute name of cgroups in which
to place all non-kernel processes that are not already in a
container. Empty for no container. Rolling back the flag requires
a reboot.
type: string
systemReserved:
additionalProperties:
type: string
description: Capture resource reservation for OS system daemons
like sshd, udev, etc.
type: object
systemReservedCgroup:
description: Parent control group for OS system daemons.
type: string
taints:
description: Taints to add when registering a node in the cluster
items:
type: string
type: array
tlsCertFile:
description: 'TODO: Remove unused TLSCertFile'
type: string
tlsCipherSuites:
description: TLSCipherSuites indicates the allowed TLS cipher
suite
items:
type: string
type: array
tlsMinVersion:
description: TLSMinVersion indicates the minimum TLS version allowed
type: string
tlsPrivateKeyFile:
description: 'TODO: Remove unused TLSPrivateKeyFile'
type: string
topologyManagerPolicy:
description: TopologyManagerPolicy determines the allocation policy
for the topology manager.
type: string
volumePluginDirectory:
description: The full path of the directory in which to search
for additional third party volume plugins (this path must be
writeable, dependent on your choice of OS)
type: string
volumeStatsAggPeriod:
description: VolumeStatsAggPeriod is the interval for kubelet
to calculate and cache the volume disk usage for all pods and
volumes
type: string
type: object
kubernetesApiAccess:
description: KubernetesAPIAccess determines the permitted access to
the API endpoints (master HTTPS) Currently only a single CIDR is
supported (though a richer grammar could be added in future)
items:
type: string
type: array
kubernetesVersion:
description: The version of kubernetes to install (optional, and can
be a "spec" like stable)
type: string
masterInternalName:
description: MasterInternalName is the internal DNS name for the master
nodes
type: string
masterKubelet:
description: KubeletConfigSpec defines the kubelet configuration
properties:
allowPrivileged:
description: AllowPrivileged enables containers to request privileged
mode (defaults to false)
type: boolean
allowedUnsafeSysctls:
description: AllowedUnsafeSysctls are passed to the kubelet config
to whitelist allowable sysctls
items:
type: string
type: array
anonymousAuth:
description: AnonymousAuth permits you to control auth to the
kubelet api
type: boolean
apiServers:
description: APIServers is not used for clusters version 1.6 and
later - flag removed
type: string
authenticationTokenWebhook:
description: AuthenticationTokenWebhook uses the TokenReview API
to determine authentication for bearer tokens.
type: boolean
authenticationTokenWebhookCacheTtl:
description: AuthenticationTokenWebhook sets the duration to cache
responses from the webhook token authenticator. Default is 2m.
(default 2m0s)
type: string
authorizationMode:
description: AuthorizationMode is the authorization mode the kubelet
is running in
type: string
babysitDaemons:
description: The node has babysitter process monitoring docker
and kubelet. Removed as of 1.7
type: boolean
bootstrapKubeconfig:
description: BootstrapKubeconfig is the path to a kubeconfig file
that will be used to get client certificate for kubelet
type: string
cgroupDriver:
description: CgroupDriver allows the explicit setting of the kubelet
cgroup driver. If omitted, defaults to cgroupfs.
type: string
cgroupRoot:
description: cgroupRoot is the root cgroup to use for pods. This
is handled by the container runtime on a best effort basis.
type: string
clientCaFile:
description: ClientCAFile is the path to a CA certificate
type: string
cloudProvider:
description: CloudProvider is the provider for cloud services.
type: string
clusterDNS:
description: ClusterDNS is the IP address for a cluster DNS server
type: string
clusterDomain:
description: ClusterDomain is the DNS domain for this cluster
type: string
configureCbr0:
description: configureCBR0 enables the kubelet to configure cbr0
based on Node.Spec.PodCIDR.
type: boolean
containerLogMaxFiles:
description: ContainerLogMaxFiles is the maximum number of container
log files that can be present for a container. The number must
be >= 2.
format: int32
type: integer
containerLogMaxSize:
description: ContainerLogMaxSize is the maximum size (e.g. 10Mi)
of container log file before it is rotated.
type: string
cpuCFSQuota:
description: CPUCFSQuota enables CPU CFS quota enforcement for
containers that specify CPU limits
type: boolean
cpuCFSQuotaPeriod:
description: CPUCFSQuotaPeriod sets CPU CFS quota period value,
cpu.cfs_period_us, defaults to Linux Kernel default
type: string
cpuManagerPolicy:
description: CpuManagerPolicy allows for changing the default
policy of None to static
type: string
dockerDisableSharedPID:
description: DockerDisableSharedPID uses a shared PID namespace
for containers in a pod.
type: boolean
enableCadvisorJsonEndpoints:
description: EnableCadvisorJsonEndpoints enables cAdvisor json
`/spec` and `/stats/*` endpoints. Defaults to False.
type: boolean
enableCustomMetrics:
description: Enable gathering custom metrics.
type: boolean
enableDebuggingHandlers:
description: EnableDebuggingHandlers enables server endpoints
for log collection and local running of containers and commands
type: boolean
enforceNodeAllocatable:
description: Enforce Allocatable across pods whenever the overall
usage across all pods exceeds Allocatable.
type: string
eventBurst:
description: EventBurst temporarily allows event records to burst
to this number, while still not exceeding EventQPS. Only used
if EventQPS > 0.
format: int32
type: integer
eventQPS:
description: EventQPS if > 0, limit event creations per second
to this value. If 0, unlimited.
format: int32
type: integer
evictionHard:
description: Comma-delimited list of hard eviction expressions. For
example, 'memory.available<300Mi'.
type: string
evictionMaxPodGracePeriod:
description: Maximum allowed grace period (in seconds) to use
when terminating pods in response to a soft eviction threshold
being met.
format: int32
type: integer
evictionMinimumReclaim:
description: Comma-delimited list of minimum reclaims (e.g. imagefs.available=2Gi)
that describes the minimum amount of resource the kubelet will
reclaim when performing a pod eviction if that resource is under
pressure.
type: string
evictionPressureTransitionPeriod:
description: Duration for which the kubelet has to wait before
transitioning out of an eviction pressure condition.
type: string
evictionSoft:
description: Comma-delimited list of soft eviction expressions. For
example, 'memory.available<300Mi'.
type: string
evictionSoftGracePeriod:
description: Comma-delimited list of grace periods for each soft
eviction signal. For example, 'memory.available=30s'.
type: string
experimentalAllowedUnsafeSysctls:
description: ExperimentalAllowedUnsafeSysctls are passed to the
kubelet config to whitelist allowable sysctls Was promoted to
beta and renamed. https://github.com/kubernetes/kubernetes/pull/63717
items:
type: string
type: array
failSwapOn:
description: Tells the Kubelet to fail to start if swap is enabled
on the node.
type: boolean
featureGates:
additionalProperties:
type: string
description: FeatureGates is set of key=value pairs that describe
feature gates for alpha/experimental features.
type: object
hairpinMode:
description: 'How should the kubelet configure the container bridge
for hairpin packets. Setting this flag allows endpoints in a
Service to loadbalance back to themselves if they should try
to access their own Service. Values: "promiscuous-bridge":
make the container bridge promiscuous. "hairpin-veth": set
the hairpin flag on container veth interfaces. "none": do
nothing. Setting --configure-cbr0 to false implies that to achieve
hairpin NAT one must set --hairpin-mode=veth-flag, because bridge
assumes the existence of a container bridge named cbr0.'
type: string
hostnameOverride:
description: HostnameOverride is the hostname used to identify
the kubelet instead of the actual hostname.
type: string
housekeepingInterval:
description: HousekeepingInterval allows to specify interval between
container housekeepings.
type: string
imageGCHighThresholdPercent:
description: ImageGCHighThresholdPercent is the percent of disk
usage after which image garbage collection is always run.
format: int32
type: integer
imageGCLowThresholdPercent:
description: ImageGCLowThresholdPercent is the percent of disk
usage before which image garbage collection is never run. Lowest
disk usage to garbage collect to.
format: int32
type: integer
imagePullProgressDeadline:
description: ImagePullProgressDeadline is the timeout for image
pulls If no pulling progress is made before this deadline, the
image pulling will be cancelled. (default 1m0s)
type: string
kernelMemcgNotification:
description: Integrate with the kernel memcg notification to determine
if memory eviction thresholds are crossed rather than polling.
type: boolean
kubeReserved:
additionalProperties:
type: string
description: Resource reservation for kubernetes system daemons
like the kubelet, container runtime, node problem detector,
etc.
type: object
kubeReservedCgroup:
description: Control group for kube daemons.
type: string
kubeconfigPath:
description: KubeconfigPath is the path of kubeconfig for the
kubelet
type: string
kubeletCgroups:
description: KubeletCgroups is the absolute name of cgroups to
isolate the kubelet in.
type: string
logFormat:
description: 'LogFormat is the logging format of the kubelet.
Supported values: text, json. Default: text'
type: string
logLevel:
description: LogLevel is the logging level of the kubelet
format: int32
type: integer
maxPods:
description: MaxPods is the number of pods that can run on this
Kubelet.
format: int32
type: integer
networkPluginMTU:
description: NetworkPluginMTU is the MTU to be passed to the network
plugin, and overrides the default MTU for cases where it cannot
be automatically computed (such as IPSEC).
format: int32
type: integer
networkPluginName:
description: NetworkPluginName is the name of the network plugin
to be invoked for various events in kubelet/pod lifecycle
type: string
nodeLabels:
additionalProperties:
type: string
description: NodeLabels to add when registering the node in the
cluster.
type: object
nodeStatusUpdateFrequency:
description: NodeStatusUpdateFrequency Specifies how often kubelet
posts node status to master (default 10s) must work with nodeMonitorGracePeriod
in KubeControllerManagerConfig.
type: string
nonMasqueradeCIDR:
description: 'NonMasqueradeCIDR configures masquerading: traffic
to IPs outside this range will use IP masquerade.'
type: string
nvidiaGPUs:
description: NvidiaGPUs is the number of NVIDIA GPU devices on
this node.
format: int32
type: integer
podCIDR:
description: PodCIDR is the CIDR to use for pod IP addresses,
only used in standalone mode. In cluster mode, this is obtained
from the master.
type: string
podInfraContainerImage:
description: PodInfraContainerImage is the image whose network/ipc
containers in each pod will use.
type: string
podManifestPath:
description: config is the path to the config file or directory
of files
type: string
podPidsLimit:
description: PodPidsLimit is the maximum number of pids in any
pod.
format: int64
type: integer
protectKernelDefaults:
description: 'Default kubelet behaviour for kernel tuning. If
set, kubelet errors if any of kernel tunables is different than
kubelet defaults. (DEPRECATED: This parameter should be set
via the config file specified by the Kubelet''s --config flag.'
type: boolean
readOnlyPort:
description: ReadOnlyPort is the port used by the kubelet api
for read-only access (default 10255)
format: int32
type: integer
reconcileCIDR:
description: ReconcileCIDR is Reconcile node CIDR with the CIDR
specified by the API server. No-op if register-node or configure-cbr0
is false.
type: boolean
registerNode:
description: RegisterNode enables automatic registration with
the apiserver.
type: boolean
registerSchedulable:
description: registerSchedulable tells the kubelet to register
the node as schedulable. No-op if register-node is false.
type: boolean
registryBurst:
description: RegistryBurst Maximum size of a bursty pulls, temporarily
allows pulls to burst to this number, while still not exceeding
registry-qps. Only used if --registry-qps > 0 (default 10)
format: int32
type: integer
registryPullQPS:
description: RegistryPullQPS if > 0, limit registry pull QPS to
this value. If 0, unlimited. (default 5)
format: int32
type: integer
requireKubeconfig:
description: RequireKubeconfig indicates a kubeconfig is required
type: boolean
resolvConf:
description: ResolverConfig is the resolver configuration file
used as the basis for the container DNS resolution configuration."),
[]
type: string
rootDir:
description: RootDir is the directory path for managing kubelet
files (volume mounts,etc)
type: string
rotateCertificates:
description: rotateCertificates enables client certificate rotation.
type: boolean
runtimeCgroups:
description: Cgroups that container runtime is expected to be
isolated in.
type: string
runtimeRequestTimeout:
description: RuntimeRequestTimeout is timeout for runtime requests
on - pull, logs, exec and attach
type: string
seccompProfileRoot:
description: SeccompProfileRoot is the directory path for seccomp
profiles.
type: string
serializeImagePulls:
description: '// SerializeImagePulls when enabled, tells the Kubelet
to pull images one // at a time. We recommend *not* changing
the default value on nodes that // run docker daemon with version <
1.9 or an Aufs storage backend. // Issue #10959 has more details.'
type: boolean
shutdownGracePeriod:
description: 'ShutdownGracePeriod specifies the total duration
that the node should delay the shutdown by. Default: 30s'
type: string
shutdownGracePeriodCriticalPods:
description: 'ShutdownGracePeriodCriticalPods specifies the duration
used to terminate critical pods during a node shutdown. Default:
10s'
type: string
streamingConnectionIdleTimeout:
description: StreamingConnectionIdleTimeout is the maximum time
a streaming connection can be idle before the connection is
automatically closed
type: string
systemCgroups:
description: SystemCgroups is absolute name of cgroups in which
to place all non-kernel processes that are not already in a
container. Empty for no container. Rolling back the flag requires
a reboot.
type: string
systemReserved:
additionalProperties:
type: string
description: Capture resource reservation for OS system daemons
like sshd, udev, etc.
type: object
systemReservedCgroup:
description: Parent control group for OS system daemons.
type: string
taints:
description: Taints to add when registering a node in the cluster
items:
type: string
type: array
tlsCertFile:
description: 'TODO: Remove unused TLSCertFile'
type: string
tlsCipherSuites:
description: TLSCipherSuites indicates the allowed TLS cipher
suite
items:
type: string
type: array
tlsMinVersion:
description: TLSMinVersion indicates the minimum TLS version allowed
type: string
tlsPrivateKeyFile:
description: 'TODO: Remove unused TLSPrivateKeyFile'
type: string
topologyManagerPolicy:
description: TopologyManagerPolicy determines the allocation policy
for the topology manager.
type: string
volumePluginDirectory:
description: The full path of the directory in which to search
for additional third party volume plugins (this path must be
writeable, dependent on your choice of OS)
type: string
volumeStatsAggPeriod:
description: VolumeStatsAggPeriod is the interval for kubelet
to calculate and cache the volume disk usage for all pods and
volumes
type: string
type: object
masterPublicName:
description: MasterPublicName is the external DNS name for the master
nodes
type: string
metricsServer:
description: MetricsServer determines the metrics server configuration.
properties:
enabled:
description: 'Enabled enables the metrics server. Default: false'
type: boolean
image:
description: 'Image is the docker container used. Default: the
latest supported image for the specified kubernetes version.'
type: string
insecure:
description: 'Insecure determines if API server will validate
metrics server TLS cert. Default: true'
type: boolean
type: object
networkCIDR:
description: NetworkCIDR is the CIDR used for the AWS VPC / GCE Network,
or otherwise allocated to k8s This is a real CIDR, not the internal
k8s network On AWS, it maps to the VPC CIDR. It is not required
on GCE.
type: string
networkID:
description: NetworkID is an identifier of a network, if we want to
reuse/share an existing network (e.g. an AWS VPC)
type: string
networking:
description: Networking configuration
properties:
amazonvpc:
description: AmazonVPCNetworkingSpec declares that we want Amazon
VPC CNI networking
properties:
env:
description: Env is a list of environment variables to set
in the container.
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must
be a C_IDENTIFIER.
type: string
value:
description: 'Variable references $(VAR_NAME) are expanded
using the previous defined environment variables in
the container and any service environment variables.
If a variable cannot be resolved, the reference in
the input string will be unchanged. The $(VAR_NAME)
syntax can be escaped with a double $$, ie: $$(VAR_NAME).
Escaped references will never be expanded, regardless
of whether the variable exists or not. Defaults to
"".'
type: string
required:
- name
type: object
type: array
imageName:
description: ImageName is the container image name to use.
type: string
initImageName:
description: InitImageName is the init container image name
to use.
type: string
type: object
calico:
description: CalicoNetworkingSpec declares that we want Calico
networking
properties:
allowIPForwarding:
description: 'AllowIPForwarding enable ip_forwarding setting
within the container namespace. (default: false)'
type: boolean
awsSrcDstCheck:
description: 'AWSSrcDstCheck enables/disables ENI source/destination
checks (AWS only) Options: Disable (default), Enable, or
DoNothing'
type: string
bpfEnabled:
description: BPFEnabled enables the eBPF dataplane mode.
type: boolean
bpfExternalServiceMode:
description: 'BPFExternalServiceMode controls how traffic
from outside the cluster to NodePorts and ClusterIPs is
handled. In Tunnel mode, packet is tunneled from the ingress
host to the host with the backing pod and back again. In
DSR mode, traffic is tunneled to the host with the backing
pod and then returned directly; this requires a network
that allows direct return. Default: Tunnel (other options:
DSR)'
type: string
bpfKubeProxyIptablesCleanupEnabled:
description: BPFKubeProxyIptablesCleanupEnabled controls whether
Felix will clean up the iptables rules created by the Kubernetes
kube-proxy; should only be enabled if kube-proxy is not
running.
type: boolean
bpfLogLevel:
description: 'BPFLogLevel controls the log level used by the
BPF programs. The logs are emitted to the BPF trace pipe,
accessible with the command tc exec BPF debug. Default:
Off (other options: Info, Debug)'
type: string
chainInsertMode:
description: 'ChainInsertMode controls whether Felix inserts
rules to the top of iptables chains, or appends to the bottom.
Leaving the default option is safest to prevent accidentally
breaking connectivity. Default: ''insert'' (other options:
''append'')'
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest CPU request of Calico container.
Default: 100m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
crossSubnet:
description: CrossSubnet is deprecated as of kOps 1.22 and
has no effect
type: boolean
encapsulationMode:
description: 'EncapsulationMode specifies the network packet
encapsulation protocol for Calico to use, employing such
encapsulation at the necessary scope per the related CrossSubnet
field. In "ipip" mode, Calico will use IP-in-IP encapsulation
as needed. In "vxlan" mode, Calico will encapsulate packets
as needed using the VXLAN scheme. Options: ipip (default)
or vxlan'
type: string
ipipMode:
description: 'IPIPMode determines when to use IP-in-IP encapsulation
for the default Calico IPv4 pool. It is conveyed to the
"calico-node" daemon container via the CALICO_IPV4POOL_IPIP
environment variable. EncapsulationMode must be set to "ipip".
Options: "CrossSubnet", "Always", or "Never". Default: "CrossSubnet"
if EncapsulationMode is "ipip", "Never" otherwise.'
type: string
iptablesBackend:
description: 'IptablesBackend controls which variant of iptables
binary Felix uses Default: Auto (other options: Legacy,
NFT)'
type: string
ipv4AutoDetectionMethod:
description: 'IPv4AutoDetectionMethod configures how Calico
chooses the IP address used to route between nodes. This
should be set when the host has multiple interfaces and
it is important to select the interface used. Options: "first-found"
(default), "can-reach=DESTINATION", "interface=INTERFACE-REGEX",
or "skip-interface=INTERFACE-REGEX"'
type: string
ipv6AutoDetectionMethod:
description: 'IPv6AutoDetectionMethod configures how Calico
chooses the IP address used to route between nodes. This
should be set when the host has multiple interfaces and
it is important to select the interface used. Options: "first-found"
(default), "can-reach=DESTINATION", "interface=INTERFACE-REGEX",
or "skip-interface=INTERFACE-REGEX"'
type: string
logSeverityScreen:
description: 'LogSeverityScreen lets us set the desired log
level. (Default: info)'
type: string
majorVersion:
description: MajorVersion is unused.
type: string
mtu:
description: MTU to be set in the cni-network-config for calico.
format: int32
type: integer
prometheusGoMetricsEnabled:
description: PrometheusGoMetricsEnabled enables Prometheus
Go runtime metrics collection
type: boolean
prometheusMetricsEnabled:
description: 'PrometheusMetricsEnabled can be set to enable
the experimental Prometheus metrics server (default: false)'
type: boolean
prometheusMetricsPort:
description: 'PrometheusMetricsPort is the TCP port that the
experimental Prometheus metrics server should bind to (default:
9091)'
format: int32
type: integer
prometheusProcessMetricsEnabled:
description: PrometheusProcessMetricsEnabled enables Prometheus
process metrics collection
type: boolean
registry:
description: Registry overrides the Calico container image
registry.
type: string
typhaPrometheusMetricsEnabled:
description: 'TyphaPrometheusMetricsEnabled enables Prometheus
metrics collection from Typha (default: false)'
type: boolean
typhaPrometheusMetricsPort:
description: 'TyphaPrometheusMetricsPort is the TCP port the
typha Prometheus metrics server should bind to (default:
9093)'
format: int32
type: integer
typhaReplicas:
description: TyphaReplicas is the number of replicas of Typha
to deploy
format: int32
type: integer
version:
description: Version overrides the Calico container image
tag.
type: string
vxlanMode:
description: 'VXLANMode determines when to use VXLAN encapsulation
for the default Calico IPv4 pool. It is conveyed to the
"calico-node" daemon container via the CALICO_IPV4POOL_VXLAN
environment variable. EncapsulationMode must be set to "vxlan".
Options: "CrossSubnet", "Always", or "Never". Default: "CrossSubnet"
if EncapsulationMode is "vxlan", "Never" otherwise.'
type: string
wireguardEnabled:
description: 'WireguardEnabled enables WireGuard encryption
for all on-the-wire pod-to-pod traffic (default: false)'
type: boolean
type: object
canal:
description: CanalNetworkingSpec declares that we want Canal networking
properties:
chainInsertMode:
description: 'ChainInsertMode controls whether Felix inserts
rules to the top of iptables chains, or appends to the bottom.
Leaving the default option is safest to prevent accidentally
breaking connectivity. Default: ''insert'' (other options:
''append'')'
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest CPU request of Canal container. Default:
100m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
defaultEndpointToHostAction:
description: 'DefaultEndpointToHostAction allows users to
configure the default behaviour for traffic between pod
to host after calico rules have been processed. Default:
ACCEPT (other options: DROP, RETURN)'
type: string
disableFlannelForwardRules:
description: DisableFlannelForwardRules configures Flannel
to NOT add the default ACCEPT traffic rules to the iptables
FORWARD chain
type: boolean
disableTxChecksumOffloading:
description: DisableTxChecksumOffloading is unused.
type: boolean
iptablesBackend:
description: 'IptablesBackend controls which variant of iptables
binary Felix uses Default: Auto (other options: Legacy,
NFT)'
type: string
logSeveritySys:
description: 'LogSeveritySys the severity to set for logs
which are sent to syslog Default: INFO (other options: DEBUG,
WARNING, ERROR, CRITICAL, NONE)'
type: string
mtu:
description: 'MTU to be set in the cni-network-config (default:
1500)'
format: int32
type: integer
prometheusGoMetricsEnabled:
description: PrometheusGoMetricsEnabled enables Prometheus
Go runtime metrics collection
type: boolean
prometheusMetricsEnabled:
description: 'PrometheusMetricsEnabled can be set to enable
the experimental Prometheus metrics server (default: false)'
type: boolean
prometheusMetricsPort:
description: 'PrometheusMetricsPort is the TCP port that the
experimental Prometheus metrics server should bind to (default:
9091)'
format: int32
type: integer
prometheusProcessMetricsEnabled:
description: PrometheusProcessMetricsEnabled enables Prometheus
process metrics collection
type: boolean
typhaPrometheusMetricsEnabled:
description: 'TyphaPrometheusMetricsEnabled enables Prometheus
metrics collection from Typha (default: false)'
type: boolean
typhaPrometheusMetricsPort:
description: 'TyphaPrometheusMetricsPort is the TCP port the
typha Prometheus metrics server should bind to (default:
9093)'
format: int32
type: integer
typhaReplicas:
description: TyphaReplicas is the number of replicas of Typha
to deploy
format: int32
type: integer
type: object
cilium:
description: CiliumNetworkingSpec declares that we want Cilium
networking
properties:
IPTablesRulesNoinstall:
description: 'IPTablesRulesNoinstall disables installing the
base IPTables rules used for masquerading and kube-proxy.
Default: false'
type: boolean
accessLog:
description: AccessLog is unused.
type: string
agentLabels:
description: AgentLabels is unused.
items:
type: string
type: array
agentPodAnnotations:
additionalProperties:
type: string
description: 'AgentPodAnnotations makes possible to add additional
annotations to the cilium agent. Default: none'
type: object
agentPrometheusPort:
description: AgentPrometheusPort is the port to listen to
for Prometheus metrics. Defaults to 9090.
type: integer
allowLocalhost:
description: AllowLocalhost is unused.
type: string
autoDirectNodeRoutes:
description: 'AutoDirectNodeRoutes adds automatic L2 routing
between nodes. Default: false'
type: boolean
autoIpv6NodeRoutes:
description: AutoIpv6NodeRoutes is unused.
type: boolean
bpfCTGlobalAnyMax:
description: 'BPFCTGlobalAnyMax is the maximum number of entries
in the non-TCP CT table. Default: 262144'
type: integer
bpfCTGlobalTCPMax:
description: 'BPFCTGlobalTCPMax is the maximum number of entries
in the TCP CT table. Default: 524288'
type: integer
bpfLBAlgorithm:
description: 'BPFLBAlgorithm is the load balancing algorithm
("random", "maglev"). Default: random'
type: string
bpfLBMaglevTableSize:
description: 'BPFLBMaglevTableSize is the per service backend
table size when going with Maglev (parameter M). Default:
16381'
type: string
bpfLBMapMax:
description: 'BPFLBMapMax is the maximum number of entries
in bpf lb service, backend and affinity maps. Default: 65536'
type: integer
bpfLBSockHostNSOnly:
description: 'BPFLBSockHostNSOnly enables skipping socket
LB for services when inside a pod namespace, in favor of
service LB at the pod interface. Socket LB is still used
when in the host namespace. Required by service mesh (e.g.,
Istio, Linkerd). Default: false'
type: boolean
bpfNATGlobalMax:
description: 'BPFNATGlobalMax is the the maximum number of
entries in the BPF NAT table. Default: 524288'
type: integer
bpfNeighGlobalMax:
description: 'BPFNeighGlobalMax is the the maximum number
of entries in the BPF Neighbor table. Default: 524288'
type: integer
bpfPolicyMapMax:
description: 'BPFPolicyMapMax is the maximum number of entries
in endpoint policy map. Default: 16384'
type: integer
bpfRoot:
description: BPFRoot is unused.
type: string
chainingMode:
description: 'ChainingMode allows using Cilium in combination
with other CNI plugins. With Cilium CNI chaining, the base
network connectivity and IP address management is managed
by the non-Cilium CNI plugin, but Cilium attaches eBPF programs
to the network devices created by the non-Cilium plugin
to provide L3/L4 network visibility, policy enforcement
and other advanced features. Default: none'
type: string
clusterName:
description: ClusterName is the name of the cluster. It is
only relevant when building a mesh of clusters.
type: string
cniBinPath:
description: CniBinPath is unused.
type: string
containerRuntime:
description: ContainerRuntime is unused.
items:
type: string
type: array
containerRuntimeEndpoint:
additionalProperties:
type: string
description: ContainerRuntimeEndpoint is unused.
type: object
containerRuntimeLabels:
description: ContainerRuntimeLabels is unused.
type: string
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest CPU request of Cilium agent + operator
container. (default: 25m)'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
debug:
description: Debug runs Cilium in debug mode.
type: boolean
debugVerbose:
description: DebugVerbose is unused.
items:
type: string
type: array
device:
description: Device is unused.
type: string
disableCNPStatusUpdates:
description: DisableCNPStatusUpdates determines if CNP NodeStatus
updates will be sent to the Kubernetes api-server.
type: boolean
disableConntrack:
description: DisableConntrack is unused.
type: boolean
disableEndpointCRD:
description: 'DisableEndpointCRD disables usage of CiliumEndpoint
CRD. Default: false'
type: boolean
disableIpv4:
description: DisableIpv4 is unused.
type: boolean
disableK8sServices:
description: DisableK8sServices is unused.
type: boolean
disableMasquerade:
description: DisableMasquerade disables masquerading traffic
to external destinations behind the node IP.
type: boolean
enableBPFMasquerade:
description: 'EnableBPFMasquerade enables masquerading packets
from endpoints leaving the host with BPF instead of iptables.
Default: false'
type: boolean
enableEncryption:
description: 'EnableEncryption enables Cilium Encryption.
Default: false'
type: boolean
enableEndpointHealthChecking:
description: 'EnableEndpointHealthChecking enables connectivity
health checking between virtual endpoints. Default: true'
type: boolean
enableHostReachableServices:
description: 'EnableHostReachableServices configures Cilium
to enable services to be reached from the host namespace
in addition to pod namespaces. https://docs.cilium.io/en/v1.9/gettingstarted/host-services/
Default: false'
type: boolean
enableL7Proxy:
description: 'EnableL7Proxy enables L7 proxy for L7 policy
enforcement. Default: true'
type: boolean
enableNodePort:
description: 'EnableNodePort replaces kube-proxy with Cilium''s
BPF implementation. Requires spec.kubeProxy.enabled be set
to false. Default: false'
type: boolean
enablePolicy:
description: 'EnablePolicy specifies the policy enforcement
mode. "default": Follows Kubernetes policy enforcement.
"always": Cilium restricts all traffic if no policy is in
place. "never": Cilium allows all traffic regardless of
policies in place. If unspecified, "default" policy mode
will be used.'
type: string
enablePrometheusMetrics:
description: EnablePrometheusMetrics enables the Cilium "/metrics"
endpoint for both the agent and the operator.
type: boolean
enableRemoteNodeIdentity:
description: 'EnableRemoteNodeIdentity enables the remote-node-identity.
Default: true'
type: boolean
enableServiceTopology:
description: EnableServiceTopology determine if cilium should
use topology aware hints.
type: boolean
enableTracing:
description: EnableTracing is unused.
type: boolean
enableipv4:
description: EnableIpv4 is unused.
type: boolean
enableipv6:
description: EnableIpv6 is unused.
type: boolean
encryptionType:
description: 'EncryptionType specifies Cilium Encryption method
("ipsec", "wireguard"). Default: ipsec'
type: string
envoyLog:
description: EnvoyLog is unused.
type: string
etcdManaged:
description: 'EtcdManagd installs an additional etcd cluster
that is used for Cilium state change. The cluster is operated
by cilium-etcd-operator. Default: false'
type: boolean
hubble:
description: Hubble configures the Hubble service on the Cilium
agent.
properties:
enabled:
description: Enabled decides if Hubble is enabled on the
agent or not
type: boolean
metrics:
description: Metrics is a list of metrics to collect.
If empty or null, metrics are disabled. See https://docs.cilium.io/en/stable/configuration/metrics/#hubble-exported-metrics
items:
type: string
type: array
type: object
identityAllocationMode:
description: 'IdentityAllocationMode specifies in which backend
identities are stored ("crd", "kvstore"). Default: crd'
type: string
identityChangeGracePeriod:
description: 'IdentityChangeGracePeriod specifies the duration
to wait before using a changed identity. Default: 5s'
type: string
ipam:
description: 'IPAM specifies the IP address allocation mode
to use. Possible values are "crd" and "eni". "eni" will
use AWS native networking for pods. Eni requires masquerade
to be set to false. "crd" will use CRDs for controlling
IP address management. "hostscope" will use hostscope IPAM
mode. "kubernetes" will use addersing based on node pod
CIDR. Default: "kubernetes".'
type: string
ipv4ClusterCidrMaskSize:
description: Ipv4ClusterCIDRMaskSize is unused.
type: integer
ipv4Node:
description: Ipv4Node is unused.
type: string
ipv4Range:
description: Ipv4Range is unused.
type: string
ipv4ServiceRange:
description: Ipv4ServiceRange is unused.
type: string
ipv6ClusterAllocCidr:
description: Ipv6ClusterAllocCidr is unused.
type: string
ipv6Node:
description: Ipv6Node is unused.
type: string
ipv6Range:
description: Ipv6Range is unused.
type: string
ipv6ServiceRange:
description: Ipv6ServiceRange is unused.
type: string
k8sApiServer:
description: K8sAPIServer is unused.
type: string
k8sKubeconfigPath:
description: K8sKubeconfigPath is unused.
type: string
keepBpfTemplates:
description: KeepBPFTemplates is unused.
type: boolean
keepConfig:
description: KeepConfig is unused.
type: boolean
labelPrefixFile:
description: LabelPrefixFile is unused.
type: string
labels:
description: Labels is unused.
items:
type: string
type: array
lb:
description: LB is unused.
type: string
libDir:
description: LibDir is unused.
type: string
logDriver:
description: LogDrivers is unused.
items:
type: string
type: array
logOpt:
additionalProperties:
type: string
description: LogOpt is unused.
type: object
logstash:
description: Logstash is unused.
type: boolean
logstashAgent:
description: LogstashAgent is unused.
type: string
logstashProbeTimer:
description: LogstashProbeTimer is unused.
format: int32
type: integer
memoryRequest:
anyOf:
- type: integer
- type: string
description: 'MemoryRequest memory request of Cilium agent
+ operator container. (default: 128Mi)'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
metrics:
description: Metrics is a list of metrics to add or remove
from the default list of metrics the agent exposes.
items:
type: string
type: array
monitorAggregation:
description: 'MonitorAggregation sets the level of packet
monitoring. Possible values are "low", "medium", or "maximum".
Default: medium'
type: string
nat46Range:
description: Nat46Range is unused.
type: string
nodeInitBootstrapFile:
description: NodeInitBootstrapFile is unused.
type: string
pprof:
description: Pprof is unused.
type: boolean
preallocateBPFMaps:
description: 'PreallocateBPFMaps reduces the per-packet latency
at the expense of up-front memory allocation. Default: true'
type: boolean
prefilterDevice:
description: PrefilterDevice is unused.
type: string
prometheusServeAddr:
description: PrometheusServeAddr is unused.
type: string
reconfigureKubelet:
description: ReconfigureKubelet is unused.
type: boolean
removeCbrBridge:
description: RemoveCbrBridge is unused.
type: boolean
restartPods:
description: RestartPods is unused.
type: boolean
restore:
description: Restore is unused.
type: boolean
sidecarIstioProxyImage:
description: 'SidecarIstioProxyImage is the regular expression
matching compatible Istio sidecar istio-proxy container
image names. Default: cilium/istio_proxy'
type: string
singleClusterRoute:
description: SingleClusterRoute is unused.
type: boolean
socketPath:
description: SocketPath is unused.
type: string
stateDir:
description: StateDir is unused.
type: string
toFqdnsDnsRejectResponseCode:
description: 'ToFQDNsDNSRejectResponseCode sets the DNS response
code for rejecting DNS requests. Possible values are "nameError"
or "refused". Default: refused'
type: string
toFqdnsEnablePoller:
description: 'ToFQDNsEnablePoller replaces the DNS proxy-based
implementation of FQDN policies with the less powerful legacy
implementation. Default: false'
type: boolean
tracePayloadlen:
description: TracePayloadLen is unused.
type: integer
tunnel:
description: 'Tunnel specifies the Cilium tunnelling mode.
Possible values are "vxlan", "geneve", or "disabled". Default:
vxlan'
type: string
version:
description: Version is the version of the Cilium agent and
the Cilium Operator.
type: string
type: object
classic:
description: ClassicNetworkingSpec is the specification of classic
networking mode, integrated into kubernetes. Support been removed
since Kubernetes 1.4.
type: object
cni:
description: CNINetworkingSpec is the specification for networking
that is implemented by a user-provided Daemonset, which uses
the CNI kubelet networking plugin.
properties:
usesSecondaryIP:
type: boolean
type: object
external:
description: ExternalNetworkingSpec is the specification for networking
that is implemented by a user-provided Daemonset that uses the
Kubenet kubelet networking plugin.
type: object
flannel:
description: FlannelNetworkingSpec declares that we want Flannel
networking
properties:
backend:
description: Backend is the backend overlay type we want to
use (vxlan or udp)
type: string
disableTxChecksumOffloading:
description: DisableTxChecksumOffloading is unused.
type: boolean
iptablesResyncSeconds:
description: IptablesResyncSeconds sets resync period for
iptables rules, in seconds
format: int32
type: integer
type: object
gce:
description: GCENetworkingSpec is the specification of GCE's native
networking mode, using IP aliases
type: object
kopeio:
description: KopeioNetworkingSpec declares that we want Kopeio
networking
type: object
kubenet:
description: KubenetNetworkingSpec is the specification for kubenet
networking, largely integrated but intended to replace classic
type: object
kuberouter:
description: KuberouterNetworkingSpec declares that we want Kube-router
networking
type: object
lyftvpc:
description: LyftVPCNetworkingSpec declares that we want to use
the cni-ipvlan-vpc-k8s CNI networking. Lyft VPC is deprecated
as of kOps 1.22 and removed as of kOps 1.23.
properties:
subnetTags:
additionalProperties:
type: string
type: object
type: object
romana:
description: RomanaNetworkingSpec declares that we want Romana
networking Romana is deprecated as of kOps 1.18 and removed
as of kOps 1.19.
properties:
daemonServiceIP:
description: DaemonServiceIP is the Kubernetes Service IP
for the romana-daemon pod
type: string
etcdServiceIP:
description: EtcdServiceIP is the Kubernetes Service IP for
the etcd backend used by Romana
type: string
type: object
weave:
description: WeaveNetworkingSpec declares that we want Weave networking
properties:
connLimit:
format: int32
type: integer
cpuLimit:
anyOf:
- type: integer
- type: string
description: CPULimit CPU limit of weave container.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: CPURequest CPU request of weave container. Default
50m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryLimit:
anyOf:
- type: integer
- type: string
description: MemoryLimit memory limit of weave container.
Default 200Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: MemoryRequest memory request of weave container.
Default 200Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
mtu:
format: int32
type: integer
netExtraArgs:
description: NetExtraArgs are extra arguments that are passed
to weave-kube.
type: string
noMasqLocal:
format: int32
type: integer
npcCPULimit:
anyOf:
- type: integer
- type: string
description: NPCCPULimit CPU limit of weave npc container
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
npcCPURequest:
anyOf:
- type: integer
- type: string
description: NPCCPURequest CPU request of weave npc container.
Default 50m
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
npcExtraArgs:
description: NPCExtraArgs are extra arguments that are passed
to weave-npc.
type: string
npcMemoryLimit:
anyOf:
- type: integer
- type: string
description: NPCMemoryLimit memory limit of weave npc container.
Default 200Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
npcMemoryRequest:
anyOf:
- type: integer
- type: string
description: NPCMemoryRequest memory request of weave npc
container. Default 200Mi
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
version:
description: Version specifies the Weave container image tag.
The default depends on the kOps version.
type: string
type: object
type: object
nodeAuthorization:
description: NodeAuthorization defined the custom node authorization
configuration
properties:
nodeAuthorizer:
description: NodeAuthorizer defined the configuration for the
node authorizer
properties:
authorizer:
description: Authorizer is the authorizer to use
type: string
features:
description: Features is a series of authorizer features to
enable or disable
items:
type: string
type: array
image:
description: Image is the location of container
type: string
interval:
description: Interval the time between retires for authorization
request
type: string
nodeURL:
description: NodeURL is the node authorization service url
type: string
port:
description: Port is the port the service is running on the
master
type: integer
timeout:
description: Timeout the max time for authorization request
type: string
tokenTTL:
description: TokenTTL is the max ttl for an issued token
type: string
type: object
type: object
nodePortAccess:
description: NodePortAccess is a list of the CIDRs that can access
the node ports range (30000-32767).
items:
type: string
type: array
nodeProblemDetector:
description: NodeProblemDetector determines the node problem detector
configuration.
properties:
cpuLimit:
anyOf:
- type: integer
- type: string
description: 'CPULimit of NodeProblemDetector container. Default:
10m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest of NodeProblemDetector container. Default:
10m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enabled:
description: 'Enabled enables the NodeProblemDetector. Default:
false'
type: boolean
image:
description: Image is the NodeProblemDetector docker container
used.
type: string
memoryLimit:
anyOf:
- type: integer
- type: string
description: 'MemoryLimit of NodeProblemDetector container. Default:
80Mi'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
memoryRequest:
anyOf:
- type: integer
- type: string
description: 'MemoryRequest of NodeProblemDetector container.
Default: 80Mi'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
nodeTerminationHandler:
description: NodeTerminationHandler determines the cluster autoscaler
configuration.
properties:
cpuRequest:
anyOf:
- type: integer
- type: string
description: 'CPURequest of NodeTerminationHandler container.
Default: 50m'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
enableRebalanceDraining:
description: 'EnableRebalanceDraining makes node termination handler
drain nodes when the rebalance recommendation notice is received
Default: false'
type: boolean
enableRebalanceMonitoring:
description: 'EnableRebalanceMonitoring makes node termination
handler cordon nodes when the rebalance recommendation notice
is received Default: false'
type: boolean
enableSQSTerminationDraining:
description: EnableSQSTerminationDraining enables queue-processor
mode which drains nodes when an SQS termination event is received.
type: boolean
enableScheduledEventDraining:
description: 'EnableScheduledEventDraining makes node termination
handler drain nodes before the maintenance window starts for
an EC2 instance scheduled event. Default: false'
type: boolean
enableSpotInterruptionDraining:
description: 'EnableSpotInterruptionDraining makes node termination
handler drain nodes when spot interruption termination notice
is received. Default: true'
type: boolean
enabled:
description: 'Enabled enables the node termination handler. Default:
true'
type: boolean
excludeFromLoadBalancers:
description: 'ExcludeFromLoadBalancers makes node termination
handler will mark for exclusion from load balancers before node
are cordoned. Default: true'
type: boolean
managedASGTag:
description: ManagedASGTag is the tag used to determine which
nodes NTH can take action on
type: string
memoryRequest:
anyOf:
- type: integer
- type: string
description: 'MemoryRequest of NodeTerminationHandler container.
Default: 64Mi'
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
prometheusEnable:
description: EnablePrometheusMetrics enables the "/metrics" endpoint.
type: boolean
version:
description: Version is the container image tag used.
type: string
type: object
nonMasqueradeCIDR:
description: MasterIPRange string `json:",omitempty"`
NonMasqueradeCIDR is the CIDR for the internal k8s network (on which
pods & services live) It cannot overlap ServiceClusterIPRange
type: string
ntp:
description: NTPConfig is the configuration for NTP.
properties:
managed:
description: Managed controls if the NTP configuration is managed
by kOps. The NTP configuration task is skipped if this is set
to false.
type: boolean
type: object
podCIDR:
description: PodCIDR is the CIDR from which we allocate IPs for pods
type: string
podIdentityWebhook:
description: PodIdentityWebhook determines the EKS Pod Identity Webhook
configuration.
properties:
enabled:
type: boolean
type: object
project:
description: Project is the cloud project we should use, required
on GCE
type: string
rollingUpdate:
description: RollingUpdate defines the default rolling-update settings
for instance groups
properties:
drainAndTerminate:
description: DrainAndTerminate enables draining and terminating
nodes during rolling updates. Defaults to true.
type: boolean
maxSurge:
anyOf:
- type: integer
- type: string
description: 'MaxSurge is the maximum number of extra nodes that
can be created during the update. The value can be an absolute
number (for example 5) or a percentage of desired machines (for
example 10%). The absolute number is calculated from a percentage
by rounding up. Has no effect on instance groups with role "Master".
Defaults to 1 on AWS, 0 otherwise. Example: when this is set
to 30%, the InstanceGroup can be scaled up immediately when
the rolling update starts, such that the total number of old
and new nodes do not exceed 130% of desired nodes.'
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: 'MaxUnavailable is the maximum number of nodes that
can be unavailable during the update. The value can be an absolute
number (for example 5) or a percentage of desired nodes (for
example 10%). The absolute number is calculated from a percentage
by rounding down. Defaults to 1 if MaxSurge is 0, otherwise
defaults to 0. Example: when this is set to 30%, the InstanceGroup
can be scaled down to 70% of desired nodes immediately when
the rolling update starts. Once new nodes are ready, more old
nodes can be drained, ensuring that the total number of nodes
available at all times during the update is at least 70% of
desired nodes.'
x-kubernetes-int-or-string: true
type: object
secretStore:
description: SecretStore is the VFS path to where secrets are stored
type: string
serviceAccountIssuerDiscovery:
description: ServiceAccountIssuerDiscovery configures the OIDC Issuer
for ServiceAccounts.
properties:
additionalAudiences:
description: AdditionalAudiences adds user defined audiences to
the provisioned AWS OIDC provider
items:
type: string
type: array
discoveryStore:
description: DiscoveryStore is the VFS path to where OIDC Issuer
Discovery metadata is stored.
type: string
enableAWSOIDCProvider:
description: EnableAWSOIDCProvider will provision an AWS OIDC
provider that trusts the ServiceAccount Issuer
type: boolean
type: object
serviceClusterIPRange:
description: ServiceClusterIPRange is the CIDR, from the internal
network, where we allocate IPs for services
type: string
snapshotController:
description: SnapshotController defines the CSI Snapshot Controller
configuration.
properties:
enabled:
description: Enabled enables the CSI Snapshot Controller
type: boolean
installDefaultClass:
description: InstallDefaultClass will install the default VolumeSnapshotClass
type: boolean
type: object
sshAccess:
description: SSHAccess determines the permitted access to SSH Currently
only a single CIDR is supported (though a richer grammar could be
added in future)
items:
type: string
type: array
sshKeyName:
description: SSHKeyName specifies a preexisting SSH key to use
type: string
subnets:
description: Configuration of subnets we are targeting
items:
properties:
additionalRoutes:
description: AdditionalRoutes to attach to the subnet's route
table
items:
properties:
cidr:
description: CIDR destination of the route
type: string
target:
description: Target of the route
type: string
type: object
type: array
cidr:
description: CIDR is the IPv4 CIDR block assigned to the subnet.
type: string
egress:
description: Egress defines the method of traffic egress for
this subnet
type: string
id:
description: ProviderID is the cloud provider id for the objects
associated with the zone (the subnet on AWS)
type: string
ipv6CIDR:
description: IPv6CIDR is the IPv6 CIDR block assigned to the
subnet.
type: string
name:
type: string
publicIP:
description: PublicIP to attach to NatGateway
type: string
region:
description: Region is the region the subnet is in, set for
subnets that are regionally scoped
type: string
type:
description: SubnetType string describes subnet types (public,
private, utility)
type: string
zone:
description: Zone is the zone the subnet is in, set for subnets
that are zonally scoped
type: string
type: object
type: array
sysctlParameters:
description: SysctlParameters will configure kernel parameters using
sysctl(8). When specified, each parameter must follow the form variable=value,
the way it would appear in sysctl.conf.
items:
type: string
type: array
target:
description: Target allows for us to nest extra config for targets
such as terraform
properties:
terraform:
description: TerraformSpec allows us to specify terraform config
in an extensible way
properties:
filesProviderExtraConfig:
additionalProperties:
type: string
description: FilesProviderExtraConfig contains key/value pairs
to add to the terraform provider block used for managed
files
type: object
providerExtraConfig:
additionalProperties:
type: string
description: ProviderExtraConfig contains key/value pairs
to add to the main terraform provider block
type: object
type: object
type: object
topology:
description: Topology defines the type of network topology to use
on the cluster - default public This is heavily weighted towards
AWS for the time being, but should also be agnostic enough to port
out to GCE later if needed
properties:
bastion:
description: Bastion provide an external facing point of entry
into a network containing private network instances. This host
can provide a single point of fortification or audit and can
be started and stopped to enable or disable inbound SSH communication
from the Internet, some call bastion as the "jump server".
properties:
bastionPublicName:
type: string
idleTimeoutSeconds:
description: IdleTimeoutSeconds is the bastion's Loadbalancer
idle timeout
format: int64
type: integer
loadBalancer:
properties:
additionalSecurityGroups:
items:
type: string
type: array
type:
description: Type of load balancer to create, it can be
Public or Internal.
type: string
type: object
type: object
dns:
description: DNS configures options relating to DNS, in particular
whether we use a public or a private hosted zone
properties:
type:
type: string
type: object
masters:
description: The environment to launch the Kubernetes masters
in public|private
type: string
nodes:
description: The environment to launch the Kubernetes nodes in
public|private
type: string
type: object
updatePolicy:
description: 'UpdatePolicy determines the policy for applying upgrades
automatically. Valid values: ''automatic'' (default): apply updates
automatically (apply OS security upgrades, avoiding rebooting when
possible) ''external'': do not apply updates automatically; they
are applied manually or by an external system'
type: string
useHostCertificates:
description: UseHostCertificates will mount /etc/ssl/certs to inside
needed containers. This is needed if some APIs do have self-signed
certs
type: boolean
warmPool:
description: WarmPool defines the default warm pool settings for instance
groups (AWS only).
properties:
enableLifecycleHook:
description: EnableLifecycleHook determines if an ASG lifecycle
hook will be added ensuring that nodeup runs to completion.
Note that the metadata API must be protected from arbitrary
Pods when this is enabled.
type: boolean
maxSize:
description: MaxSize is the maximum size of the warm pool. The
desired size of the instance group is subtracted from this number
to determine the desired size of the warm pool (unless the resulting
number is smaller than MinSize). The default is the instance
group's MaxSize.
format: int64
type: integer
minSize:
description: MinSize is the minimum size of the pool
format: int64
type: integer
type: object
type: object
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
Reference in New Issue View Git Blame Copy Permalink